Cenzic 232 Patent
Paid Advertising
web application security lab

Why I Never Posted RSPolicy

Once upon a time the name of the game was buffer overflows. We spent countless hours banging on IDA Pro trying to get some debugger to give us the magical EIP as we smashed on our keyboards for hours. Life was a lot simpler back then - we banged on our own computers, trying to make them crash. We weren’t hurting anyone, and it made sense that we had a disclosure policy that matched that. Rain Forrest Puppy released an epic document called RFPolicy that was designed to solve the problem of responsible disclosure. It allowed the industry time to solve the challenges of patching, while still giving the researcher the credit for their work. The companies were forced to explain what happened when they released their patches, at which point it made sense to credit the researcher. Times have changed.

While RFPolicy is absolutely still practical and useful, even RFP admitted to me that it doesn’t cover the one area a lot of us now work in the most - web server vulns. Unlike hacking your own computer, when you hack a website it’s got all sorts of implications. But here’s the mostly likely worst cases: the owner may do nothing, they may fix it and not tell anyone, or they may decide it’s illegal for you to be finding the vulns and try to prosecute you. None of which are any good for the poor researcher looking to help the website and/or possibly trying to increase their own name brand in doing so.

Along comes RSPolicy (obviously incomplete). In the same vein as RFPolicy I wanted to create something that solved the unique problems that web researchers face, which is that they want either a) to be recognized b) to get the hole fixed or c) both. In any case, they still fear the worst cases as mentioned above. RSPolicy was both a tool and a policy designed to set timeframes within which exploits should reasonably, in a worst case, be fixed. Additionally, I was going to build a tool (essentially an anonymous one-directional webmail) to prevent the companies from knowing who was reporting the vuln as to prevent prosecution in the worst case.

The goal was to get companies to agree to the RSPolicy, and throw up a page, explaining at a high level who found the hole, what it was, and potentially dates that it was found and closed. It all seemed like a lofty goal. Now I needed to get a few big companies to agree to timeframes. Here’s where it got ugly.

In order to protect the companies I picked I’m not going to use their names here, but trust me, you’ve heard of the companies. I picked them because they were huge, and they have these problems all the time. That means that they aren’t quick on their feet, which is perfect since I was really looking for a worst case anyway. Alas, one of the companies was unwilling to put limits on anything - fearing reprisal or even lawsuits from their customers. Another company felt the impact of this would be pretty massive to their ability to be able to fix flaws (in a good way) but never bought off on verbiage and also never put a line in the sand. Then I started talking to people in the industry.

I spoke with RFP, of course, and I didn’t get the feeling he felt it was providing enough of a mechanism. I spoke with a few others who felt that people wouldn’t adopt the tool portion (which I don’t care about but it’s a good point). And when it came down to it the major beef I heard was that it actually wasn’t a policy, so much as a moving line in the sand that was ill defined. I agree. And henceforth I have given up on the project. While a noble goal, I think I’m just exhausted by the concept. The companies have all completely dropped the ball at this point, despite the fact all three have had vulnerabilities found in their sites within the last month that I am personally aware of. So despite the ball dropping the problem hasn’t gone away.

I’m not looking for the community to pick up where I left off - that’s not my goal. My goal at this point is just to let everyone know that perhaps there is an alternative out there, and there is no reason you cannot make up your own policy at any time that makes sense for whatever application you need it for. I chose RSPolicy because I thought it fit a need. Perhaps it will for some, but I’m not going to build the tool, host it, or work on RSPolicy anymore, which is why it is in the state is (incomplete). The companies mentioned who read this (and they all do) all continue to have the opportunity to work with the community however they see fit - I’m just not going to facilitate.

11 Responses to “Why I Never Posted RSPolicy”

  1. Spyware Says:

    Maybe it’s time for a 3rd party company to handle these issues. Exchange of information, arrange legal “stuff” and make sure the paperwork is okay. The “big companies” don’t handle security issues very well themselves ATM. Why not outsource this problem to a knowledgeable, friendly company which knows what it’s doing? A company who dares to pick up the ball and plays along?

  2. BrianWGray Says:

    I can fully understand why a company wouldn’t want to commit to a hard deadline for fixes. They don’t want to have to do all the PR backpedaling like in the whole “10 day” incident. It is a novel idea though. The only way I see this working is if someone is willing to provide a “legal umbrella” for researchers. An organization that says. Post your findings through us. The organization evaluates the legality of the findings and forwards legitamate information to the party’s involved. The researcher gets credit for the findings and the “umbrella” organization protects the researchers legal interests.

    Problem is who pays for it.

  3. Dave Says:

    RSnake,

    I appreciate your effort. I agree that the industry does need to take some ownership for this issue, and companies need to take responsibility for their problems. Arriving at a standard mechanism for reporting these issues is a good concept and one that protects the researchers.

    For sure, some sort of agreement needs to be widely accepted between researchers and corporations. Businesses need to understand that without a safe way to report findings, researchers (regardless of their position) will go into obscurity and the game will just get a lot worse for users. It’s either that, or companies need to just get over it and be ready for the onslaught of 0day disclosure every_day.

  4. ntp Says:

    What about NTPolicy?

  5. Ronald Says:

    Time to update the forums with RSPolicy? :)

  6. RSnake Says:

    @ntp - they are totally unrelated, I’m not sure what you mean.

    @Ronald - no, RSPolicy is not complete enough to tell people to use it. It’s missing the time frames.

  7. Ronald Says:

    Maybe an idea to let the researcher determine the timeframe? I don’t know, but it really gets on my nerves when I am emailing back and forth for 4 weeks. I usually set the timeframe myself cause I have a short concentration span, glodfish like, yah some 2 seconds ;)

  8. RSnake Says:

    @Ronald - That’s really a bad idea for the reason you mentioned actually, hahah… the last thing you want is security guys telling companies to fix their stuff in ten minutes or they’ll blow up the world. The goal is to help the security people do their job - get holes fixed, and make a name for themselves if that’s what they’re after. Not hurt their reputation amongst the industry.

  9. Bipin 3~ Upadhyay Says:

    hahah… the last thing you want is security guys telling companies to fix their stuff in ten minutes or they’ll blow up the world.

    Reminds me of Swordfish. :P

  10. RSnake Says:

    @Bipin - I apologize. I never meant to remind anyone of that terrible movie. No, that’s just wrong of me. ;)

  11. Nick Williams Says:

    I would be very interested in a mechanism that simply protects a researcher from prosecution following a notice of vulnerability. I’m sure we’re all aware of several sites that are running around with their fly’s open, yet we’re too scared to contact them for fear of repercussions.

    It would be nice to have an arbitrage sort of system where a researcher could anonymously (well, somewhat) notify a webmaster of a flaw. The third party would contact the person notifying them that there *is* an issue, but will not tell them what it is unless they agree to some sort of binding document or similar that will effectively prevent the pursuance of criminal charges to the researcher - even in the event that the third party be required to turn over logs of the submission by the researcher.

    Surely it’s not that simple since one could argue that the third party is perhaps aiding and abetting or similar… but something along these lines needs to be done.

    I think is ludicrous that I’m too fearful to let a company know they have oodles of CC’s and personal information one SQL query away.