Once upon a time the name of the game was buffer overflows. We spent countless hours banging on IDA Pro trying to get some debugger to give us the magical EIP as we smashed on our keyboards for hours. Life was a lot simpler back then - we banged on our own computers, trying to make them crash. We weren’t hurting anyone, and it made sense that we had a disclosure policy that matched that. Rain Forrest Puppy released an epic document called RFPolicy that was designed to solve the problem of responsible disclosure. It allowed the industry time to solve the challenges of patching, while still giving the researcher the credit for their work. The companies were forced to explain what happened when they released their patches, at which point it made sense to credit the researcher. Times have changed.
While RFPolicy is absolutely still practical and useful, even RFP admitted to me that it doesn’t cover the one area a lot of us now work in the most - web server vulns. Unlike hacking your own computer, when you hack a website it’s got all sorts of implications. But here’s the mostly likely worst cases: the owner may do nothing, they may fix it and not tell anyone, or they may decide it’s illegal for you to be finding the vulns and try to prosecute you. None of which are any good for the poor researcher looking to help the website and/or possibly trying to increase their own name brand in doing so.
Along comes RSPolicy (obviously incomplete). In the same vein as RFPolicy I wanted to create something that solved the unique problems that web researchers face, which is that they want either a) to be recognized b) to get the hole fixed or c) both. In any case, they still fear the worst cases as mentioned above. RSPolicy was both a tool and a policy designed to set timeframes within which exploits should reasonably, in a worst case, be fixed. Additionally, I was going to build a tool (essentially an anonymous one-directional webmail) to prevent the companies from knowing who was reporting the vuln as to prevent prosecution in the worst case.
The goal was to get companies to agree to the RSPolicy, and throw up a page, explaining at a high level who found the hole, what it was, and potentially dates that it was found and closed. It all seemed like a lofty goal. Now I needed to get a few big companies to agree to timeframes. Here’s where it got ugly.
In order to protect the companies I picked I’m not going to use their names here, but trust me, you’ve heard of the companies. I picked them because they were huge, and they have these problems all the time. That means that they aren’t quick on their feet, which is perfect since I was really looking for a worst case anyway. Alas, one of the companies was unwilling to put limits on anything - fearing reprisal or even lawsuits from their customers. Another company felt the impact of this would be pretty massive to their ability to be able to fix flaws (in a good way) but never bought off on verbiage and also never put a line in the sand. Then I started talking to people in the industry.
I spoke with RFP, of course, and I didn’t get the feeling he felt it was providing enough of a mechanism. I spoke with a few others who felt that people wouldn’t adopt the tool portion (which I don’t care about but it’s a good point). And when it came down to it the major beef I heard was that it actually wasn’t a policy, so much as a moving line in the sand that was ill defined. I agree. And henceforth I have given up on the project. While a noble goal, I think I’m just exhausted by the concept. The companies have all completely dropped the ball at this point, despite the fact all three have had vulnerabilities found in their sites within the last month that I am personally aware of. So despite the ball dropping the problem hasn’t gone away.
I’m not looking for the community to pick up where I left off - that’s not my goal. My goal at this point is just to let everyone know that perhaps there is an alternative out there, and there is no reason you cannot make up your own policy at any time that makes sense for whatever application you need it for. I chose RSPolicy because I thought it fit a need. Perhaps it will for some, but I’m not going to build the tool, host it, or work on RSPolicy anymore, which is why it is in the state is (incomplete). The companies mentioned who read this (and they all do) all continue to have the opportunity to work with the community however they see fit - I’m just not going to facilitate.