Reporting Vulnerabilities

The $10,000 Mac Hack

I recently read a comment about this hack wondering how long the author had sat on the exploit rather than reporting it to Apple. It’s a very important point.

My opinion of these “security researchers” is well known: there’s a difference between bird watching and research. Finding yet another buffer overflow isn’t “research.” Creating a new way to secure systems is research. Coming up with whole new classes of attack might be research (along the lines of bioweapon research). Those who hunt new instances of old bugs are collectors of exotic animals, weapon manufacturers, volunteer quality testers, or a half-dozen other categories that have little to do with science or research.

That said, it’s not surprising that these guys would sit on the exploits they’ve found, and there are many lessons to be found in there. Reporting a defect to a vendor, at best, will get a terse “we’ll look at it” and at worst will get federal agents at your door. There’s no upside except that you might feel good about yourself and might not be punished for it. On the other hand, 0days are the currency of the underground. Even if you’re just a collector, you need 0days in order to get other 0days. Every time you report one, you have less to trade.

Those who sell their services as pen testers need a cache of 0days so they can break in with undisclosed vulnerabilities when all else fails. If they disclose, then their customers’ systems might actually be hard to break into and you don’t look like a good pen tester. There is profit in showing you can break into systems. There’s little profit in making everyone’s systems safer.

Actual criminals of course aren’t going to report that they’ve learned how to break into your system.

All of this is very important to keep in mind whenever you begin think a system is secure just because there aren’t a lot of widely publicized exploits. The guys you most worry about are the least likely to tell you what they know.