Was Tavis Ormandy’s Disclosure Irresponsible?
Regarding Tavis Ormandy’s recent disclosure of a vulnerability in Windows Help and Support Center, my understanding is that there are five basic paths to take when you have a valid vulnerability to disclose. They are enumerated below. In short, I think Tavis Ormandy went down the RFPv2 path, and thus was within his rights to disclose when he did assuming that Microsoft didn’t in fact reply to him within the 5 days allowed.
As a corporate defender, I would prefer that researchers not take such an aggressive stance with disclosure, but my point is that what he did might have long-standing precedent.
1). CERT/CC – Public disclosure happens within 45 days of the vulnerability being reported to CERT/CC. CERT/CC notifies the vendor per their own process.
2). Full Disclosure Policy (Rain Forest Puppy policy version 2 – RFPv2) – Reporter of problem contacts the software vendor directly. The vendor is allowed 5 days to reply. If the vendor does reply within the 5 day time window, then a disclosure schedule should be agreed upon by both parties. After that, the vendor should provide updates every 5 days. The wording of the disclosure should be agreed upon by both parties. if the vendor does not reply back with 5 days of the initial contact, the reporter of the problem is free to disclose.
3). OIS (Organization for Internet Safety) – Finder submits a VSR (Vulnerability Summary Report). Vendor can choose to do a partial public disclosure at this point if they wish. The vendor must respond directly to the finder within 7 days. If the vendor doesn’t respond in 7 days, then the finder must submit again, and the vendor gets another 3 days to reply. if the finder doesn’t get a reply after this final 3 days, the finder is OK to publicly disclose.
4). Go through a vulnerability broker like Verisign iDefense VCP or TippingPoint ZDI and follow whatever policy that broker uses.
5). Sell directly to a private buyer. Many governments – including the U.S – purchase vulnerabilities for their own purposes.
Having served as an intermediary before, I can tell you that this process sometimes isn’t a walk in the park. I am not saying anyone is right or wrong, but I am saying that what he did isn’t new and maybe he is being singled out unfairly in the media.
UPDATE 13 July 2010 – Microsoft has released a fix for this vulnerability in July 2010 patch MS10-042.
UPDATED 13 July 2010 http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx