AV/AT Reviews -- Responsible Disclosure Policy

Discussion in 'other anti-trojan software' started by cguest, Nov 7, 2003.

Thread Status:
Not open for further replies.
  1. cguest

    cguest Guest

    I would like to talk with you about responsible disclosure policies (in respect of AV/AT reviews). In particular, I would like to discuss the following thoughts:

    1.
    A reviewer should only be interested in the "well-being" of the AV/AT software users. The reviewer should not worry about the reputation or revenue of an AV/AT software producer (i.e., the reviewer should not put lipstick on the pig).

    2.
    A reviewer should definitely talk about a weakness which has already been disclosed in the VX/trojan scene. For example, if there is already an "advisory" on how to circumvent a particular scanner the reviewer should inform the AV/AT software users about this issue. In other words, the reviewer should not hold things back and should not tell the users that they are safe if they are not safe. The reviewer has to make sure, however, that his/her findings are true before publishing them.

    3.
    If a reviewer identifies a problem which has not already been disclosed in a trojan board or the like the reviewer should inform the AV/AT software producer first provided that such information allows the software producer to fix the problem in a timely manner. The reviewer should also inform the software users if this is possible w/o writing a "hacker tutorial" or the like. (For example, if a reviewer figures out an easy, semi-automatic way to integrate trojans into trusted applications he should write about this possibility but should not disclose the details.)

    4.
    The reviewer should not disclose sensitive information without having a proper reason. For example, if a reviewer invests a lot of time (relying on a trial and error approach) in order to identify the signatures used by a scanner to detect a specific trojan there is no good reason to disclose this particular signature. This is because the disclosure does not demonstrate an important weakness. It simply creates a weakness.



    Please let me know your thoughts.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Helo anonymous abcguest,
    Wayne and others have written valid procedures several times:
    Always first inform the developer about finds, vulenerabilities can be mentioned in the bugtraq forums too, to give a helping hand there leading to solutions.
    Common habit is to give a reasonable time to fix the problems.
    After the public can be informed that fix xyz was created for vulnerability blabla, and if the reviewer wants the feathers can mention what he did to contribute to this fix.
    It is not wise and unprofessional in any way to cause havoc by the public and cause the trojan community to jump on a possible weakness and thus endangering the users even more in the meantime before the fix is there.
     
  3. cguest

    cguest Guest

    Hi Jooske:

    1.
    Do your statements refer to my statement no. 3? If yes: there is no disagreement between you and me, right?

    2.
    But what do you think about my statements no. 1 and 2? You said in another thread: "To all those anonymous guests names appearing each time all of a sudden when it comes to blackening serious developers ..." This statement makes me wondering whether you would prefer reviewers to stay silent also in respect of known vulnerabilities?

    Possibly, the same applies to Gavin who wrote: "Because users are posting things about hex editing, maybe a few more attackers will change things like this. If they didnt post anything, the extra detection might well save someone's PC. But they do continue to post this stuff IN THE OPEN. Its just like posting the actual signature for an antivirus scanner". Contrary to Gavin, I believe that you should openly address this issue because numerous (!) tutorials have been published by trojan users which exactly describe how to do it (i.e., a lot of attackers already know how to do it). Moreover, it makes sense to inform a user about this issue because this will help the user to decide for a scanner with multiple signatures (like TDS) which can be less easily circumvented than other scanners. In addition, a user may decide to use more than one scanner or ask for a scanner with rotating signatures.
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    hmmm, I'm not sure I'll understand the purpose of this thread.
    Dolf
     
  5. cguest

    cguest Guest

    Hi Dolf,

    1.
    This thread is not about a particular scanner. I would prefer not to mention any particular scanner at all (at least not in a negative way).

    2.
    The purpose of this thread is to clarify what you should do and what you should not do when talking about a scanner. I am interested in this question because I frequently get into trouble when I post in a forum (not only wilderssecurity) and express my opinion about a scanner. Usually, it is not the software producer but the support team or the fan community who jumps on me. They usually come to the conclusion that my statements must be wrong and that my sole intention must be to bash their favorite scanner.

    I feel that people sometimes fail to distinguish between guidelines no. (i) to (iv). IMHO, blackening a scanner is infringing guideline (iv) but not acting in accordance with guideline (i) and (iii).

    But maybe you see it in a different way? In such case I would like to listen to your arguments.
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Well, if you do your reviews completely according your guidelines, I can't see any problem.
    Dolf
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    I've only received one such paper about TDS, and there was a couple of weak signatures which were promptly rectified - possibly before this paper was ever posted on any trojan boards.

    I since found another, and it was also corrected quickly. To post signatures needed to avoid detection would as you say take a long time to find, and only CREATE a weakness (as with any signature scanner, knowing the signature is everything)
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    WizardAVC,

    o_O This comment is completely off-topic in this thread. Read the thread again...

    It is about "Responsible Disclosure Policy" and not about any company or website. Further, you've already raised this subject over in a Wormguard thread today, so no need to cross post it here.

    Anyone replying here should reply to the topic as the original poster started it. Comments about any specific company or website will be deleted from this point forward to keep the thread on topic.
     
  9. cguest

    cguest Guest

    That's fine. My intention was and is not to create havoc. Therefore, please protect my thread, LowWaterMark ;-)

    TIA.
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    On the original topic of this thread, I will say I agree with the need for responsible disclosure, and your points are all good although the details are really critical here...

    The most important item is to notify the software maker first, as said in your #3, and to allow a reasonable amount of time for a fix. But, what is a reasonable amount of time? How does the person reporting the problem know the difference between the vendor taking necessary steps (and time) to fix the problem versus the vendor just ignoring the problem?

    If the reporter wrongly assumes that the vendor is delaying unduly in providing the fix, because the reporter doesn't understand the significance of the underlying problem, then they could make a critical error in exposing the exploit too soon, especially if no workaround is available prior to the permanent fix.

    Of course mainly I'm referring to responsible reporters in the first place... There is a big difference between a person who finds an exploit and truly intends to help the people who use a product by working with its vendor to expedite a fix, and the other person who simply finds a problem and spams it across the Internet to make themselves look cool or smart or whatever. This second type of reporter is bad for both the users of security products and the makers of them as well.
     
Thread Status:
Not open for further replies.