When to disclose a zero-day vulnerability

On Halloween day, Google gave Microsoft a big seasonal scare when its security researchers informed the public of a major Windows zero-day vulnerability—a previously unknown security flaw. To Microsoft, it probably seemed like a ghoulish trick: The company had worked with Google’s Threat Analysis Group to fix it but hadn’t yet updated customer software.

Microsoft cried foul, saying it had a patch ready to be installed in its next planned update. Google defended its decision in its original blog post, saying hackers were using the flaw against targets—and Microsoft was moving too slow.

When reached for comment, a Microsoft representative would only point to a nearly 2-year-old call by the company for better coordination when disclosing zero-days and other vulnerabilities.

Google did not return requests to comment.



READ MORE ON BUG BOUNTIES

Why Apple’s bug bounty is a big deal
Survey says: Don’t start with a bug bounty
Bug bounties break out beyond tech
The dark side of bug bounties


The dispute between the two companies centers on what the trigger to require disclosure of a vulnerability should be, says Katie Moussouris, founder and CEO of Luta Security, who wrote Microsoft’s Coordinated Vulnerability Disclosure policy when she worked for the Redmond, Wash.-based company. Microsoft, she says, “will wait for independently verified evidence of growing attacks in the wild,” while Google prefers to move on “any evidence of attacks.”

Both approaches “have merit,” she says, adding that “as an independent researcher without access to industrial telemetry, or insight into active attacks,” one has to make a “judgment call” on whether to disclose a zero-day vulnerability.

“In any case, researchers, and companies that employ researchers, should be doing their best to minimize risk” to consumers, Moussouris says.

Various sets of guidelines regarding when to disclose a zero-day lack consensus. Researchers who want to see vulnerabilities patched and consumers protected dig into software vendors’ vulnerabilities sometimes without permission and often without legal protections. Vendors such as Microsoft, Apple, and Google, meanwhile, wrestle with how best to swiftly patch a flaw—ideally before it’s widely known and exploited by hackers, and ideally without any unintended side-effects.

No federal, state, or international rules govern when or how to handle zero-day disclosures, leaving the software industry and security researchers to their own devices.

“If you’ve got 30-year infrastructure, there’s going to be a lot of skeletons in the closet. The risk is pushing a patch that causes a problem, and potentially affects the update mechanisms themselves.” — Casey Ellis, founder and CEO, Bugcrowd

Thus far, the only consensus appears to be that creating strict rules for vulnerability disclosure is not easy—and may not even be good idea, says Art Manion, a computer vulnerability analysis expert and leader at Carnegie Mellon University’s Computer Emergency Response Team, widely known as CERT.

CERT’s policy states that we wait 45 days [for the vendor to patch a vulnerability before disclosing], but the very next sentence gives us a lot of leeway to go earlier. One of the primary reasons to go earlier is that the vulnerability is being used in attacks,” Manion says. “That’s a cause not to wait any longer, since attackers already know. In a case like that, the vendor is racing for the patch, anyway.”

Google’s policy is 90 days, with a 14-day grace period added after the last time that Google released a zero-day on Microsoft. Other security research policies include Yahoo’s 90-day policy and Zero Day Initiative’s 120-day policy.

There are legitimate reasons to delay a zero-day patch, says Casey Ellis, founder and CEO of Bugcrowd, which helps other companies create and manage bug bounty programs through which security researchers can get paid by the company to submit software vulnerabilities instead of selling them on the black market.

Ellis points to instances of software breaking after an update, and notes that it’s important for software vendors to do regression testing to ensure that a fix doesn’t break something else in the code. That’s not easy for major software vendors like Microsoft, whose flagship Windows operating system has billions of lines of code.

“If you’ve got 30-year infrastructure, there’s going to be a lot of skeletons in the closet,” Ellis says. “The risk is pushing a patch that causes a problem, and potentially affects the update mechanisms themselves.”

But he also says some vendors are sluggish about responding in a timely manner, if ever.

“Some companies are really good” about responding, he says. “Some are terrible.”

The ethical considerations of when to disclose can keep some researchers up at night. Are researchers better off releasing a zero-day sooner, so that the vendor feels pressured to fix it faster? Or does that create an opening for malicious hackers to exploit vulnerable systems?

In a column posted to Medium, a security researcher who goes by the Twitter handle the grugq weighed Google’s recent decision.

“I think waiting an additional few days to allow Microsoft to roll out their scheduled patch wouldn’t have increased the potential risk significantly, not compared to the increased risk of having an 0day on the loose for a week,” the grugq wrote, adding, “I don’t subscribe to the ‘tell other people what to do with their information’ school of thought, so Google was absolutely within their rights to drop 0day.”

Minimizing risk to the consumer is key, Moussouris says. For her, that means getting the vendor and the researcher on the same page about when to disclose the vulnerability.

“My one rule in disclosure is ‘no surprises,’” she says. “Even if the finder of the bug, and the vendor who needs to fix it, disagree on the timing of disclosure, it’s in everyone’s best interest to coordinate the release, even if it’s not at a time of the vendor’s choosing.”

CERT’s Manion also worries most about keeping the user safe from vulnerabilities that are coming closer than ever before to having an impact in the physical world, thanks to the Internet of Things.

“Recalling 150,000 cars or grounding airplanes is different from Oracle patching once a year,” he says. “With Internet-connected medical devices, do you wait until all the patients have gotten replacements, and then disclose it? Safety-critical Internet of Things is a different animal than a traditional computer.”