The right (way) to disclose vulnerabilities

An article was discussed last month in The Guardian and The BBC explaining how a research paper from the University of Birmingham had been barred by a judge from being published because it discussed weaknesses in the security related to cars starting mechanisms from many manufacturers (BMW, Porsche, Fiat, Peugeot, etc).

This was already discussed publicly at the 21st Usenix Security Sympposium, where an online video is available. A quick search on Google also produces a PDF paper explaining how a car can be gone in 360 seconds through hijacking car key transponders. If that was the paper stopped from publication, then I don’t think it provided enough details that warranted those legal actions.

This opened a debate about free speech, the right to do and publish research versus responsible vulnerability disclosure.
But what is a “responsible way” to disclose vulnerabilities? It seems the common consensus among white hat hackers and researchers is about giving time for the vendor/manufacturer and eventually publishing the vulnerabilities. “Time” is usually 6 months, after which most hackers/researchers will argue the vendor is not reacting fast enough and for the greater good the vulnerability should be published to kick those vendors into action.

But is it really always for the greater good?

In this recent car hijacking example, the researchers have indeed notified the car manufacturers and very little was done 6 months later. All those cars could be hijacked in a few minutes with their knowledge of the vulnerability (and the right RFID equipment), so by publishing a paper describing how this could be done it would force those vendors to finally fix that flaw. But it would also give further knowledge to criminals to potentially steal cars!

How this could be considered responsible disclosure? putting further pressure on vendors, yes. But facilitating in the process further criminal activities, maybe not.

Being responsible in disclosing vulnerabilities is not just about waiting a set amount of time, it is also considering the impact this could have on all the parties involved, including the end users! And therefore trying to balance the need to put pressure on the vendors whilst still protecting users from a given vulnerability, isn’t it the main goal to do the research in the first place?

It is human nature wanting to shout to the world our accomplishments, our Eureka moments, discoveries we feel will have a major impact, etc. That “responsible disclosure” principle goes in the way of this urge to claim/inform others about what is important to us; taking the time to reflect on it is therefore often lost in the process.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>