Security bugs and disclosure - netscape.public.mozilla.security

Message from discussion Security bugs and disclosure

Daniel Veditz

More options Mar 24 2000, 3:00 am

Newsgroups: netscape.public.mozilla.security

From: Daniel Veditz <dved...@netscape.com>

Date: 2000/03/24

Subject: Re: Security bugs and disclosure

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

Mike Shaver wrote:

> Kevin Hecht wrote:
> > Does this procedure change, and if so how, if the bug is first
> > discovered by someone posting an exploit to a web site, to Bugtraq, or
> > alerting CNET and other media, rather than going through Netscape
> > channels?

> There should be no ``Netscape channels'' for Mozilla security bugs. If
> someone reports a bug to Netscape about their branded derivative, then I
> presume that Netscape would report that vulnerability to Mozilla if it
> was in common code. People should be reporting Mozilla bugs to the
> Mozilla community (or some designated subset thereof), not to one
> particular contributor/consumer.

> (They would always have the right not to disclose those things, I guess,
> but that would be absurdly bad community spirit. Let's not even go
> there.)

No, let's. I can nearly guarantee (based on past behavior) that unless
mozilla designates a small trusted group of security-concerned people
Netscape will never divulge information about a non-public exploit until 1)
they have a fix *AND* 2) there is available a release or patch containing
the fix. Microsoft does the same thing. It is simply irresponsible to
expose your customers to UNNECESSARY risks from script kiddies who would
run with that information.

> If the exploit is public, I don't think we need to go to any lengths to
> protect our own discussions of it, especially because opener discussion
> might help us get to a better fix, sooner.

Define "public". Merely being found by a mozilla community member does not
count, as most responsible security-hole finders want to give the affected
developers a chance to respond and/or fix before exposing it to the world.
Such people usually bring in the press only as leverage to move
recalcitrant vendors because they, too, understand the goodness of trying
to get a fix before letting the cat out of the bag.

If there isn't a way to report these security holes privately to
mozilla.org I'm betting many of these folks will report them quietly via
e-mail to netscape first. And as mentioned Netscape will probably try to
keep the info under their hat until there's a fix.

This is kind of a bummer because Netscape has limited resources devoted to
fixing security holes. And one of those people was just promoted to
managing the entire javascript team, no doubt reducing the amount of time
he can devote to security work. Security experts working alone or for other
contributing companies are not able to help out nor protect their customers
when they don't know about these exploits.

What can mozilla.org do to assuage the fears of contributing companies like
Netscape that will encourage them to share security information more
broadly, but in a controlled way?

What can mozilla.org do to assuage the fears of responsible security-hole
finders that will encourage them to share the knowledge of expoits with a
group of mozilla developers rather than just with the main vendor (at this
point) Netscape?

Key words: assuage fears and encourage. Netscape has been burned too many
times on security holes, you aren't going to dictate to them. If they have
to I have no doubt they will pull security bugs out of bugzilla and set up
a parallel system if bugzilla proves too leaky. And that would be a bummer
and inconvenience for everyone.

-Dan Veditz

Reply to author Forward