A Politics ofVulnerability Reporting

Black Hat Briefings, Europe 2001

Scott BlakeDirector of Security Strategy

BindView Corporation/RAZOR Research

April 19, 2023

Agenda

• Introduction– What is Politics?

• The Past and Present– Ideologies, Actors, and Initiatives

• The Future– Trends and Probabilites

April 19, 2023

What is Politics?

• The study of power– Power is the ability to make one do what

one would not otherwise do.

• Important Terms– Actor: One who uses or is subject to

power– Ideology: A set of beliefs or ideas– Legitimacy: In accordance with

established standards or patterns– Authority: Legitimate power

April 19, 2023

Ideologies

• Full disclosure• Zero disclosure• Responsible Disclosure

April 19, 2023

Full Disclosure

• Tenets– Information wants to be free– Use the power of public opinion to

make vendors improve code– Exploit code is more useful than

destructive

• Adherents– Most non-profit researchers– Very few commercial researchers

April 19, 2023

Zero Disclosure

• Tenets– Responsibility for fixing vulnerabilities lies

with software vendor– Authors of software should control

information relating to that software– There is no public good in broad availability

of vulnerability information

• Adherents– Many software vendors– Many government actors– Much of the Public

April 19, 2023

Responsible Disclosure

• Tenets– Exploit code causes more problems than it

solves– Broad dissemination of vulnerability

information is required to improve security awareness

– Use the power of public opinion to make vendors improve code

• Adherents– Most commercial researchers– Some notable software vendors

April 19, 2023

The Actors

• Vendors• Researchers• Governments• Media• The Public

April 19, 2023

Vendors

• Motivators– Shareholder value

• Financing– Software Sales

• Interests– Limit damage to brand value– Limit vulnerability of customers– Sell more software

• Power Relations– Often try to prevent public disclosure of

vulnerability information through legal action, market leverage, lobbying

April 19, 2023

Researchers

• Motivators– Advance state of the art– Build more security– Build name recognition/peer respect

• Financing– Day Job– Customers (Grant, Contract)– Software sales

April 19, 2023

Researchers (2)

• Interests– Continue financing source– Maintain/extend reputation

• Power Relations– Hobbyists are largely free from external

influence providing the day job does not interfere

– Academic and consultative researchers are largely beholden to their funding source, but different funders set different restrictions

– Commercially-sponsored researchers are beholden to the parent company’s interests

April 19, 2023

Governments

• Motivators– Technocratic perception of public good

• Financing– Taxes– Campaign Contributions

• Interests– Economic growth– Public Safety

• Power Relations– Prosecution of criminal or negligent behavior– Large purchaser of information technology

April 19, 2023

The Media

• Motivators– “All the news that’s fit to print”

• Financing– Advertisements– Subscribers

• Interests– More readers

• Power Relations– Very powerful creators of brand, image– Influencers of public perception

April 19, 2023

The Public

• Motivators– Too chaotic to be relevant

• Financing– Too chaotic to be relevant

• Interests– Stable, secure software

• Power Relations– Wields tremendous power, but very

difficult to direct in any specific direction

April 19, 2023

Initiatives

• Council of Europe Cybercrime Treaty

• US Anti-terrorism legislation• Disclosure Forums• Coalition for Internet Safety

April 19, 2023

Council of Europe’s Cybercrime Treaty

• Intended Outcomes– Harmonize and update European

computer crime laws• Unintended Outcomes

– Potential for mis-implementation of tools provisions may have chilling effect on research

– Language pertaining to intent may lead to certification requirements for security practitioners

April 19, 2023

USA’s PATRIOT Act

• Intended Outcomes– Adds cybercrime to list of terrorist acts– Strengthens provisions against aiding

and abetting terrorists

• Unintended Outcomes– Since hackers are now terrorists, is

publishing vulnerability information aiding and abetting?

April 19, 2023

Disclosure Forums

• Intended Outcomes– Get information to those who need it

• Unintended Outcomes– Puts information in the hands of the

“bad guys”

April 19, 2023

Coalition for Internet Safety

• Intended Outcomes– Limit availability of information to “bad

guys”

• Unintended Outcomes– Limit availability of information to

everyone

April 19, 2023

Trends

• Increasing legislation• Improving communication channels• More and more research being done• More vicious attacks• Continuing penetration of Internet

access

April 19, 2023

Probabilities

• Will the public demand security?• Who will pay for security?• A war on hackers/cyberterrorists?• Lessons from recent events• Security for the people?