Vulnerability discovery credits, vendor acknoweldgement, and CVE
Adam Shostack said:
>Alice takes her description of the problem, hashes it, and publishes
>the hash result in a widely archived forum. (I'd suggest Bugtraq or
>NTbugtraq, if their moderators are willing to let these through.) If
>Bob cheats, Alice publishes the file containing the description, and
>anyone can see that she had that description when she published the
This exact sort of solution was suggested in Bugtraq a few weeks ago
(I can dig up the reference later). I'm considering offering it as
part of candidate reservation and including it in the (otherwise
content-free) description for reserved candidates. That still doesn't
solve the problem of people trusting *me*, however, but they can just
give me the hash without the details. I can see there being a neutral
(for some value of neutral) web site whose sole job is to register a
hash and the time at which it was reserved.
With respect to Marcus' comments, it is clear that some vulnerability
discoverers want proper credit for discovering something, and it is
becoming a more common practice (consider Microsoft's acknowledgement
policy and recent SGI advisories). If a discoverer has a way of
registering that they knew about a vulnerability first, then maybe
they can be more patient with the vendor.
While we're on the topic, a neutral third party who is part of the
disclosure between discoverer and vendor will be able to minimize the
"he said, she said" finger-pointing that goes on when the discoverer
claims that the vendor didn't respond, and the vendor claims that they
were never notified. This in turn could help make it more clear when
a vendor is aware of, and has fixed, the vulnerability. 60% of all
active CVE candidates don't have any concrete vendor acknowledgement,
at least since I started recording it for CAN-1999-0671 and later.
The precentage is probably higher if you consider the 300+ candidates
still remaining from the draft CVE. I've had to delve into logs or
readme's to find some acknowledgement.
My personal hope is that the Security Focus and ICSA/NTBugtraq
advisory writing services will be able to play this role. There are
also evolving standards in vendor notification and public disclosure,
e.g. Rain Forest Puppy's RFPolicy, and the upcoming vulnerability
disclosure summit involving Guardent, eWeek, Security Focus, Symantec,
MITRE, and others. (See
http://www.guardent.com/pr2000-09-19-vulsum.html for the press
announcement; I'll be the MITRE rep. attending).