AV/AT Reviews -- Responsible Disclosure Policy

I would like to talk with you about responsible disclosure policies (in respect of AV/AT reviews). In particular, I would like to discuss the following thoughts:

1.
A reviewer should only be interested in the "well-being" of the AV/AT software users. The reviewer should not worry about the reputation or revenue of an AV/AT software producer (i.e., the reviewer should not put lipstick on the pig).

2.
A reviewer should definitely talk about a weakness which has already been disclosed in the VX/trojan scene. For example, if there is already an "advisory" on how to circumvent a particular scanner the reviewer should inform the AV/AT software users about this issue. In other words, the reviewer should not hold things back and should not tell the users that they are safe if they are not safe. The reviewer has to make sure, however, that his/her findings are true before publishing them.

3.
If a reviewer identifies a problem which has not already been disclosed in a trojan board or the like the reviewer should inform the AV/AT software producer first provided that such information allows the software producer to fix the problem in a timely manner. The reviewer should also inform the software users if this is possible w/o writing a "hacker tutorial" or the like. (For example, if a reviewer figures out an easy, semi-automatic way to integrate trojans into trusted applications he should write about this possibility but should not disclose the details.)

4.
The reviewer should not disclose sensitive information without having a proper reason. For example, if a reviewer invests a lot of time (relying on a trial and error approach) in order to identify the signatures used by a scanner to detect a specific trojan there is no good reason to disclose this particular signature. This is because the disclosure does not demonstrate an important weakness. It simply creates a weakness.



Please let me know your thoughts.

 

Helo anonymous abcguest,
Wayne and others have written valid procedures several times:
Always first inform the developer about finds, vulenerabilities can be mentioned in the bugtraq forums too, to give a helping hand there leading to solutions.
Common habit is to give a reasonable time to fix the problems.
After the public can be informed that fix xyz was created for vulnerability blabla, and if the reviewer wants the feathers can mention what he did to contribute to this fix.
It is not wise and unprofessional in any way to cause havoc by the public and cause the trojan community to jump on a possible weakness and thus endangering the users even more in the meantime before the fix is there.

 

Hi Jooske:

1.
Do your statements refer to my statement no. 3? If yes: there is no disagreement between you and me, right?

2.
But what do you think about my statements no. 1 and 2? You said in another thread: "To all those anonymous guests names appearing each time all of a sudden when it comes to blackening serious developers ..." This statement makes me wondering whether you would prefer reviewers to stay silent also in respect of known vulnerabilities?

Possibly, the same applies to Gavin who wrote: "Because users are posting things about hex editing, maybe a few more attackers will change things like this. If they didnt post anything, the extra detection might well save someone's PC. But they do continue to post this stuff IN THE OPEN. Its just like posting the actual signature for an antivirus scanner". Contrary to Gavin, I believe that you should openly address this issue because numerous (!) tutorials have been published by trojan users which exactly describe how to do it (i.e., a lot of attackers already know how to do it). Moreover, it makes sense to inform a user about this issue because this will help the user to decide for a scanner with multiple signatures (like TDS) which can be less easily circumvented than other scanners. In addition, a user may decide to use more than one scanner or ask for a scanner with rotating signatures.

 

hmmm, I'm not sure I'll understand the purpose of this thread.
Dolf

 

Hi Dolf,

1.
This thread is not about a particular scanner. I would prefer not to mention any particular scanner at all (at least not in a negative way).

2.
The purpose of this thread is to clarify what you should do and what you should not do when talking about a scanner. I am interested in this question because I frequently get into trouble when I post in a forum (not only wilderssecurity) and express my opinion about a scanner. Usually, it is not the software producer but the support team or the fan community who jumps on me. They usually come to the conclusion that my statements must be wrong and that my sole intention must be to bash their favorite scanner.

I feel that people sometimes fail to distinguish between guidelines no. (i) to (iv). IMHO, blackening a scanner is infringing guideline (iv) but not acting in accordance with guideline (i) and (iii).

But maybe you see it in a different way? In such case I would like to listen to your arguments.

 

Well, if you do your reviews completely according your guidelines, I can't see any problem.
Dolf

 

Hi,

I've only received one such paper about TDS, and there was a couple of weak signatures which were promptly rectified - possibly before this paper was ever posted on any trojan boards.

I since found another, and it was also corrected quickly. To post signatures needed to avoid detection would as you say take a long time to find, and only CREATE a weakness (as with any signature scanner, knowing the signature is everything)

 

That's fine. My intention was and is not to create havoc. Therefore, please protect my thread, LowWaterMark ;-)

TIA.