Forgive me father, for I have sinned.
Unless you’ve been living under an internet-shaped rock for the last few weeks, you would have seen a handful of security issues disclosed online in New Zealand. Wheedle, ListSellTrade, Geta, and more recently MSD. I joined the gleeful pile-on around the auction sites in particular, which was amplified by the apparent stupidity of trying to compete with Trade Me using a half-assed webite.
In retrospect, I should have been more circumspect (put your hands in the air and say yeah).
In case you didn’t know, there are protocols around responsible security disclosure. The OIS has a weighty tome on the matter, but here’s a simplified overview:
- Discover a flaw. Do not exploit it.
- Notify the owner of the flaw in private, giving them enough detail to find and resolve the flaw.
- Give the owner of the flaw enough time to reasonably notify their users and/or resolve the flaw.
- After waiting for the time above, disclose the flaw so that users can make themselves safe, and so that others can learn from it.
It’s pretty clear that in the case of the MSD flaw, both Keith Ng and Ira Bailey acted responsibly by notifying the MSD (step 2) and not going public until MSD had undertaken to close the kiosks (step 4). In fact, listening to Ira discuss the disclosure on Radio NZ (mp3 link), I’d like to apologise and withdraw my accusations of douchebaggery (thanks @rmi). But I still have questions about bug bounties, read on.
In the cases of Wheedle et al, exploits were being thrown around on Twitter with abandon (by myself and others), and this was wrong.
In our defense, the sites were all brand new and fundamentally flawed, so the voracious takedown was low-risk. But it was still wrong. I was aware of others notifying the site owners properly (@dylanreeve is a stand-up guy for example, trying harder than I would to get hold of people behind the scenes), so I didn’t bother to do so myself.
About those Bug Bounties
In some cases, companies provide a “bug bounty” for users that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for “black hat” hackers to move from step one to step two above. Hackers can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.
In my opinion, it’s totally kosher to ask a private company for a bug bounty. It’s in their interest to close the hole, and most responsible companies should have a public bounty policy, because even the best operational security is not going to keep up with every single exploit.
But a government department? I’m not sure about this one. On the one hand I think it’s our social responsibility to help these guys out as much as we can. Maybe I’m a wet pinko liberal socialist, but we’re all in this shitfight called the Internet together, and I think it’s a bit much to ask for a bug bounty on an issue that affects the most vulnerable in our society.
But then I read about $50k for a 2-week Delloite review and think that maybe a $2k reward per bug would go a long way to making that review irrelevant.
I dunno. What do you think?