Google/Youtube Ultimatum
Yesterday, christ1an published an ultimatum to Google and Youtube regarding vulnerabilities in their applications. His deal - work with him within the next few weeks or expect full disclosure on one or more vulnerabilities. From his posting:
Taking that into account I’m going to have one last try and give you two weeks from now to contact me. If you don’t, I am obliged to disclose all vulnerabilties in public.
christ1an is not the only person to voice concerns over how companies respond to vulnerability researchers and voice severe frustration based on the lack of response. It’ll be interesting to see how this one pans out, as obviously the companies are less integrated than they probably should be, and even through all of the vulnerabilities in Google like the most recent Google vulnerability found by Mustlive.
June 17th, 2007 at 7:54 am
Isn’t that extortion?
June 17th, 2007 at 12:23 pm
well it’s not like he’s getting anything from it either way, except “general security for the public”
so if you wanna say he’s extorting google into giving their users some security (like they promise in their TOS), then, yeah, it probably is.
also the “full disclosure: ethical or not” debate has been done only like a million times or so. you can google your own pro and con arguments.
June 17th, 2007 at 8:32 pm
What do most companies in the web space do about publishing contact details for security vulnerabilities? Its tough to be completely open about security reporting locations without confusing users in some cases, etc.
I like google’s security reporting page. Microsoft’s isn’t too bad either. Any other god examples floating around?
June 18th, 2007 at 5:11 am
Extortion requires that he gets something in return, he isn’t asking for anything. I think he is simply saying “I’ve sat on these things long enough, you’ve got two more weeks and then I publish what I know”. News organizations do that all the time. The local police ask the news to sit on a story while they investigate and the reporter says “ok, I can sit on it for 48 hours”.
Whether it is ethical or not is another question. But one must assume that Google has the resources to fix these things in 2 weeks. My personal opinion is they are being less ethical by allowing these problems to fester than someone giving them two (more) weeks before disclosing it.
XSS problems are public nuisances and should be treated that way. They have more potential for damaging visitors than damaging the web servers hosting the problem. I’m surprised they aren’t covered by a public nuisance law. They certainly should be subject to civil litigation should someone lose money in phishing scheme because they thought they were visiting one site but were XSS’ed to another one. (IMHO)
June 19th, 2007 at 1:36 pm
Even if they DONT have the resources to fix these vulnerabilities in 2 weeks… That isn’t even what Christian seems to be requesting here. Christian is merely asking them to contact him. We have to assume they have the resources to CONTACT people who are going out of their way to do the job google promises to do in their TOS.
In my opinion, it would be irresponsible for Christ1an to continue sitting on these vulnerabilities. Responsible disclosure only works when the companies disclosed to are cooperative. When they don’t, the researcher who is disclosing is faced with a tough decision. Continuing to wait without giving google this kind of a push is just an irresponsible decision, unless you’re under the impression that malicious hackers cant find vulnerabilities… and if you are, you’re just not paying attention.