Software vendors are obliged to find vulnerabilities, says US govt

Independent identification and verification of security vulnerabilities in commercial software is good for overall Internet...

Independent identification and verification of security vulnerabilities in commercial software is good for overall Internet security, but there is a right and a wrong way to report the existence of those vulnerabilities, US federal and industry experts said yesterday.

"I don't think we can rely on the software companies to find their own vulnerabilities," said Richard Clarke, chairman of the Bush administration's Critical Infrastructure Protection Board, which is managing an effort to boost national cybersecurity.

"You have an obligation to help find vulnerabilities," Clarke told a crowd of more than 1,500 industry security experts at this week's annual Black Hat USA 2002 security conference in Las Vegas.

Clarke's comments come on the heels of a threat by Hewlett-Packard to sue a team of researchers who publicised a vulnerability in the company's Tru64 Unix operating system.

Last month, a researcher from a loose-knit group known as SnoSoft posted a message about the vulnerability on the Bugtraq mailing list, along with a hyperlink to a program that enabled hackers to gain administrator-level privileges to Tru64 systems.

"I think [HP's legal threat] hinders our ability to get the vulnerability fixed," said Richard George, technical director of the Security Evaluations Group at the National Security Agency.

George added that some vendors have refused to sign nondisclosure agreements with the NSA to discuss vulnerabilities discovered in their software, because "if they don't know about it then they're not liable".

However, Clarke and other experts turned their sights on researchers and companies that have been accused of discovering security holes and then releasing exploit code before the software vendor has had a fair chance to produce a patch.

"It's not the responsible thing to do to let the world know about it before a patch is available," said Clarke.

Some security companies have been accused of releasing exploit code for known vulnerabilities, particularly in Microsoft software, before the vendor could produce a workable patch and get it out to customers in a timely manner. "That's clearly crossing the line," said Marcus Sachs, a senior policy advisor to Clarke.

"If you're a [security] vendor, responsible reporting means not treating the vulnerability as some sort of commodity. If you have exploit code, you have my attention," said Steve Culp, manager of Microsoft's Security Response Center.

But in a surprising twist, Clarke and other government experts told the gathering of hackers and security professionals that vulnerability research is not only good for Internet security, it is essential to avoid major problems in the future.

"It's actually healthy to try to find vulnerabilities," said Sachs. The goal is to not ignore vulnerabilities because that could create a series of 'flash points' on the Internet, he said. He added that those flash points could later be used in larger attacks that have the potential to "spread like wild fires".

Clarke, Sachs and other experts implored researchers and security companies to make an effort in good faith to contact a vendor before a vulnerability is discussed publicly.

"If the vendor is not responsive to your efforts, the next best place to go is the CERT," said Sachs, referring to the CERT Co-ordination Center at Carnegie Mellon University in Pittsburgh. "If the vendor is still not responsive, then come through us."

Read more on Hackers and cybercrime prevention