Security research, like any business, is competitive, and everyones looking for some new angle. One of the hottest angles out is the “Month of XXX Bugs” phenomenon, where XXX is whatever product youre picking on.
Normal people are usually perplexed at the idea of so-called “good guys” publicizing bugs in other peoples products, especially security vulnerabilities. The security crowd is more forgiving of the problems with this practice because they appreciate the value in knowing about the bugs.
Well-known security researcher Thomas Ptacek of Matasano Security wanted to know what the security research community thought of these efforts and asked a collection of researchers he knew. He posted the responses in a blog entry.
Marc Maifrett, CTO of eEye, makes the important point that a large number of these bugs are just bugs. Comparatively few are demonstrable vulnerabilities, although many are potential vulnerabilities, in the sense that they crash the program and its hard to demonstrate that the crash is not exploitable.
These large numbers of bugs are the fruit of fuzzing, a testing technique in which outside test software randomly or semi-randomly generates input to the program under test. This stresses the program in ways probably unforeseen by its developers, exposing crashes and other bad behavior.
Maifretts bigger point is spot on, that there is nothing objectionable about publicity-hounding efforts like this if you do the disclosure responsibly. You need to tell the vendor in advance and give them an honest chance to confirm the bug and issue a patch, if they see fit. This is how eEye operates, and they are responsible for a good number of important vulnerability discoveries; in the time between the discovery and the patch they get to protect their own customers, which is a big part of their business case.
If, instead, you disclose zero-day vulnerabilities without giving anyone any warning, you are doing more than just hogging publicity—you are harming the interests of innocent third parties. What can be said other than “shame on you” for doing it. But so far there have been few real crises from the “Month of” campaigns.
HD Moore of BreakingPoint Systems thinks its a good thing, but thats not surprising since he ran the Month of Browser Bugs (by far the most interesting month) and has participated in others. I disagree with him; I dont think that irresponsible disclosure such as his has helped users or vendors any more than responsible disclosure would.
Finally, I also have to agree with Tim Newsham, listed as a security researcher and Haskell advocate: As much as these “Month of” efforts offend me with their no-notice policies, I cant help but follow them. Perhaps theyre the tabloid journalism of the security business.
And like most tabloid journalism, most of the bugs are of no real consequence to real people.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer