Deep impact - the ZDI disclosure policy

 Vulnerability disclosure policies find themselves in the spotlight when things go horribly wrong. In my experience, things go horribly wrong about once a year – just search “responsible disclosures” and you’ll see a plethora of examples. When things go horribly wrong a very vocal debate kicks off around whether or not responsible disclosure is the right approach. There are compelling arguments to both sides of this debate mostly centered on when and if disclosures should be made public. Rarely are the vendors or bug bounty programs participants in these discussions (with few notable exceptions*) proffering responsible ways to disclose vulnerabilities.

 

I am going to share an insider’s view of how HP’s Zero Day Initiative (ZDI) Disclosure Policy positively affects the ecosystem and prods vendors into further securing their software. Unfortunately, not all vendors respond equally to these prods.

 

Jottings: If you are not familiar with our particular Disclosure Policy you can read it in full here. Pertinent sections are included for illustrative purposes only. This discussion is restricted to the immediate preceding 12 months so as not to overwhelm you, dear reader, with dull stats however, it really does speak to the positive impact the ZDI has had on software security over its 8-year lifespan, and, the work yet to be done.

 

Nearly 300 vulnerabilities have been discovered and patched through the HP ZDI bounty program between August 1, 2012 and August 31, 2013. Another 100 have been verified and disclosed to the vendor.  Of these 300 patched advisories only seven percent were disclosed as zero-days (no patch) with two percent of those still unpatched to-date. This means that 93 percent were patched within the Disclosure Policy timeline.

 

For transparency sake, this does not mean that all patches were performed within 180 days of reporting. The actual policy states:

 

At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect the user.

 

It does mean that the vendors actively communicated and addressed the majority of vulnerabilities in accordance with our policy. They took our vulnerability reports seriously enough to address them and to keep us informed of their patch progress along the way. Let’s look at three examples of the ZDI disclosure policy in action:

 

Case study 1: Industry giant to emulate – Microsoft

Microsoft releases patches to its software on a monthly cadence (second Tuesday of the month) known to most as “Patch Tuesday”. Peruse any given time period and you will find most months cover multiple products on multiple platforms. Love them or hate them you have to admire their ability to push out updates on this scale so regularly.

 

While not all of these bulletins are for vulnerabilities ZDI has reported to Microsoft there are quite a few – nearly half of all Microsoft’s critical vulnerabilities patched in 2013 are ZDI’s.  Of the vulnerabilities the ZDI has reported, Microsoft has patched all of them within the disclosure policy. Again, for transparency sake this does not mean they patched them all in under 180 days, but that they reached out to us on those that surpassed 180 days for a renegotiated disclosure date.


TTPMS.jpg

 As you can see from the chart, Microsoft has actually patched the majority of ZDI reported vulnerabilities in under 120 days. These vulnerabilities represent nearly 30 percent of all ZDI patched vulnerabilities for this time period.

We all know that Microsoft has taken the development of secure software seriously. Recently celebrating the 10th anniversary of the Trustworthy Computing Memo Microsoft provides the most comprehensive and efficient response to vulnerabilities and attacks in the industry. This is certainly worth emulating.

 

Case study 2: A look in the mirror – HP

HP acquired the Zero Day Initiative in 2010 when it purchased 3COM. In August 2012, the ZDI team took an unprecedented action by dropping 17 zero-days against its own parent company. As you can imagine, this caused quite a commotion both internally and externally.  This action reflects the most powerful statement in the ZDI’s disclosure policy:

 

In no cases will an acquired vulnerability be 'kept quiet' because a product vendor does not wish to address it.

 

It’s important to note that the ZDI has always enjoyed an autonomy that allows the team to make decisions on not only the day-to-day running of the business, but also in determining the long-term direction and strategy. It is this autonomy that created the environment in which the ZDI team was able to drop zero-days [essentially] on itself and receive the backing of HP’s top leadership for doing just that.

 

Side bar: Just as the ZDI reports vulnerabilities to various security response teams at other vendors, the ZDI reports all HP vulnerabilities to HP’s SSRT. If you find a vulnerability in HP software and you report it directly to HP it goes to the same team that we send our reports to.

 

So what has happened since August 2012?

 

The changes are far reaching. HP is investing in governance, people, processes, security development lifecycle and software tools to make secure applications. HP SSRT is investing in process governance and transparency to make it easier to manage reported vulnerabilities – whether from ZDI, customers or other researchers. Through these improvements HP has worked diligently to clear the ZDI backlog and improve communication flow. We, at the ZDI, have seen these improvements first hand. Most notably, in July 2013 when HP’s SSRT coordinated the release of five security bulletins patching 13 vulnerabilities!

 

While the work is never done, it is clear that HP Software does take vulnerabilities seriously and is striving to secure its part of the ecosystem regardless of who is reporting the vulnerabilities.  

 

Case Study #3: Notification without Response – PineApp

On rare occasions, we run across a vendor that triggers action from a different section of the ZDI Disclosure Policy:

 

The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail to security@, support@, info@, and secure@company.com with the pertinent information about the vulnerability.

 

If a vendor fails to acknowledge [ZDI] initial notification within five business days, [ZDI] will initiate a second formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, [ZDI] may rely on an intermediary to try to establish contact with the vendor. If [ZDI] exhausts all reasonable means in order to contact a vendor, then [ZDI] may issue a public advisory disclosing its findings 15 business days after the initial contact.

 

In May 2013 the ZDI received two vulnerabilities against PineApp’s SeCure Mail product from one of our more senior external researchers. Upon investigation by ZDI researcher, Dave Weinstein, we noted a severe issue with the security of PineApp’s SeCure Mail in its implementation of PHP. Dave found an additional four vulnerabilities during his verification of the first two. It became clear that the ZDI needed to disclose these to the vendor immediately and proceeded to do so. As these were the first vulnerabilities we had received against this vendor we reached out to them via their “Contact Us” page.

 

There was no response to our request for a secure method of responsibly disclosing the vulnerabilities. We continued our attempts to contact the vendor through email addresses from their sales and marketing departments, as well as calling their offices directly (never spoke to anyone but left a few voicemails) all to no avail. [You can see the communications timeline in the published advisories ZDI-13-183 through ZDI-13-188].

 

In accordance with ZDI policy, and, more than 60 days after first contact, we dropped six zero-days against PineApp’s SeCure Mail product. As of this writing we have still not received any contact regarding resolution of these vulnerabilities.

 

According to the vendor website the company was founded in 2002, and provides perimeter network security solutions for businesses of all sizes.

 

Well, I hope you have enjoyed the journey through the ZDI’s Disclosure Policy and how it helps to secure the ecosystem and disrupt the work of the “bad guys” exploiting these vulnerabilities. If you want to keep up with the good work of the ZDI and are interested in even more stats and details, then be sure to check back here in a few months when ZDI Manager, Brian Gorenc, provides the full 2013 ZDI year in review.

 

Jewel Timpe
Research Communications Manager
HPSR

 

*Google recently blogged on this very topic

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation