Law vs Ethics of Responsible vs irresponsible disclosure

[null]

Hi nulls,

Lets start a fresh discussion.

My 2 cents on it:

1. We need a policy for responsible disclosure protocol (whether govt. supported or unanimously agreed upon by the industry) in India.

2. We don't have to prove a point to anyone with our actions. I also don't see Indian companies starting a bug bounty program soon.

--
Cheers,
@seem

[Sandeep]

Hi All

As it a fresh discussion on a common topic of Law Vs Ethics of Responsible and Irresponsible Disclosure, I would like to add some points on it.

It is right that we need a proper policy for responsible disclosure either supported by government or unanimously agreed upon the Indian companies and the information Security community, but at the same time currently we have so many respected platforms which we can use to disclose any vulnerability in a website or any other computer system; for e.g., 1.)  The Keeda Project of Null (ke...@null.co.in), 

2.) Vulnerability Reporting through CERT-In by sending an e-mail to in...@cert-in.org.in or using the vulnerability reporting form on the Cert-In website

3.) In addition to the above mentioned ways, most of the global security research companies have their own platforms where anyone can submit or report a bug on a website or any other computer system.

The Responsible and Irresponsible disclosure depends on the intent behind finding a vulnerability in a website. We are all aware that if we pack our lunches and sit at a place with a sole intention of finding vulnerabilities on every website, we would find a vulnerability in 1 out of 2 websites scanned so if we have a clear intent of showing our skills and help people be safe and secure we would use the common disclosure platforms which can make you famous for your skill as well as intimate the website owner to get it fixed. In this way we would fulfill the objective of both showing the skills and helping people to be safe and secure.

We have a very recent example of  Amol Nayak finding a CSRF vulnerabilty in Facebook and getting appreciated and rewarded for the same. (Facebook being a $20 billion dollar company and a portal used by billions of users had a common vulnerability of CSRF on their website, so security bugs can be found anywhere if we start looking researching  things.)

On the other hand if we have the intention to let someone down just because I do not like his statements or he/she is   a hot shot in a particular field, ( as in the case of hacktivists against states) we will continue to research in finding a security hole in their website or any other public computer system that the person owns and will try to tarnish that person's image by publicly insulting that person or company on forums and blogs which in turn will lead that person or company to take legal action against the individual or group who did this kind of act.

So, its very clear that we do not need to show or prove anything to anyone through our actions because we all are aware that what kind of potential a student or an individual can have in terms of any skill and we do and we should always respect and appreciate it but at the same time everyone who enters this security field or community needs to be very well aware of the legal aspects of acts carried out and the borderlines of each of every act.

Thanks

Sandeep

                            

--
Cheers,
@seem

--
Get ready for the Dilli Shakedown!
nullcon security conference Delhi Sept 26-29th 2012
http://nullcon.net
 
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
 

[Anant Shrivastava]

Ohk here are few points from my side.

1) bug bounty programs
generally launched by companies who understand that risk is there and also understand that they have a semi solid infrastructure and need to iron out few flaws which are left out. hence don't call for audit but take crowd's help.

2) Disclosure in public
general aim or goal behind is to claim credit and discredit the other organization.

3) Responsible disclosure
where general aim is to hlep organization patch a flaw and if possible get some karma or credit in the way.

4) Indian IT industry.
First and formost we need to understand more that largest part of it industry is not about product but services. those who are in product are in it as a offshot to there service industry. now product is growing up. so let them growup. and then we can expect some quality work rom them.

5) bug disclosure.

I for one believe in responsible disclosure. where in you contact the organization in private and gain trust once its patched if company not willing to give credit publically just post your finding's online but since its patched then no worries from your end. (but a prior information should be given to company that you are going to disclose)

another area of issue is two fold here
a) what if company doesn't responds.
(initial mail should have proper timelines mentioned)
b) identity of the disclosing person.
This is a big challenge : you open your identity and people might have cases against you (risk), or you hide your identity ad company will not trust you.

Self promotion here :
The whole aim of keeda was to avoid this specific flaw in the system and let a third party handle the disclosure process where the aim from vulnerability finder is not to defame the organization but to keep things clean and avoid any unnecessary scene.


Regarding proving a point that looks like a childish attitude as a whole to me. if you want to prove your point go get your self a name on google, twitter, FB, mozilla or microsoft hall of fame. that will not only prove your point but will also help you in career.
where as from a company side better approach would be for responsible disclosure do a proper credit and close the issues. where as if its irresponsible (considering company was never contacted before public disclosure) not but i suppose a leagal action could be one of the possiblities in option for the company.


Anant Shrivastava
GWAPT | CEH | RHCE
Mob : 91-9764899904
E-mail : an...@anantshri.info
Web : http://anantshri.info

On Sat, Sep 1, 2012 at 5:06 PM, t_gangte <songa...@gmail.com> wrote:

I agree with you. I think Indian companies and institutions are still in deep slumber while global companies are running huge bug bounty programs. Is it because of ignorance or are Indians still too reserved? 

Disclosing a vulnerability can go both ways as it depends on the attitude of the company, which is very discouraging.

[Vicky D Shah]

I had volunteered to do the compilation earlier. But no response received.

We can rework on this.

Regards,

Vicky Shah

Sent from BlackBerry®

---

From: null <gii...@gmail.com>

Sender: null-...@googlegroups.com

Date: Sat, 1 Sep 2012 16:37:56 +0530

To: <null-...@googlegroups.com>

ReplyTo: null-...@googlegroups.com

Subject: [null] Law vs Ethics of Responsible vs irresponsible disclosure

[TAS]

Mailing list sounds noisy after a long time. And yeah the noise is
good. Here is my 1 cent as well. Sandeep and Anant pretty much cover
every aspect of it.

Does any one give a thought to the point, why atleast 0 day disclosure
have platforms like ZDI, iDefense sometimes vendors themselves and if
nothing the black market is always looking for them and web bugs don't
have any such matured platform?

0 days don't mean finding an XSS that no one else found, sqli in some
website that is locally popular and not even used by some few thousand
users. Also, it is easy to find web bugs, you simply pick exploit-db
bugs relevant to content management systems and their plugins for
instances. They even have Google dork's, you search them in Google and
pick you favourite website and hack them. Easy right. Else you are
really desperate and want to get famous, so you run a bunch of tools
find a lame bug and rant about it. What does that really fetch you?
Nothing besides showcasing yourself to the world as some immature
idiot.

Coming to the point of ethics and responsible disclosure for web bugs.
There have been several debates on the what platform do you use for
disclosures on various like lists and forums, but they have never been
conclusive. And in my understanding this will never come to
conclusion. The reason being is the complex nature of problems like
attitude, awareness, competent resources, knowledge vs how easy to
find a web bug by running a automated scanner. No intelligence
applied. Sometime even companies do not really care because it poses
no harm to them and they are willing to live with it. Like an XSS. And
the ones who care fix it and later the person reported goes public or
get credit for finding it. And then bug goes public. This is a more
respectful process. And I don't see what more can you do beyond this.

Its more of an individual thing in my opinion, you want to go public
do that, but be ready to face the consequences. Sometimes nothing and
sometime cops knocking your doors.

BTW people who recruit you were not born yesterday. The know your
internet handles, spooky and funny names and if not will get to it
before they give you a job. So happy ranting.

-
TAS
http://twitter.com/p0wnsauc3

[simran]

My 1 cent worth :)

* irresponsible disclosure is harmful. full stop. always does more good than harm, and should be discouraged and not accepted.

* ethics - if one person is going to be a revolutionary - their motives are very important - being alone and against the law in my eyes is not "wrong" but what are the true motives (and if they are fame, money, etc) then expect a deserved backlack. if however, you cannot find backing, but really believe in something for the greater good - by all means - chase that dream - you will be persecuted, tortured, etc etc etc... but your core will remind you it's for a greater cause and you will be able to go on. 

* law - it's motive is good - but i would debate with anyone who claimed it's execution is just! laws will generally not promote harmful events, will protect the weak, and feed the hungry... but in execution (and have any of you actually been to court and sat for a whole day, if not i'd encourage you all as "hackers" to do that; and yes you can; you don't need any permission; just go to a local court and "take a seat" (and yes, i have done that myself so can suggest it out of experience :)) - see what happens there - and you will realise bribery, injustice, revenge, disregard for fairness are 90% of what happens - completely against the spirit of the law itself (and yes this is more prevalent in India than in many other countries; that's just a fact! fullstop!) - in that context - more rather than less "intelligent disregard" for the law is required, not for the "spirit of the law" (which is pure) but for the letter of the law, for the execution of the law... if you really believe in a "lawful" society, then fix the way the laws are executed... if not, then ensure that your motives are pure anyway! 

Why on the null list, because null is about true "hacking" (i can still hear the applause when we saw the rickshaw meter at nullcon goa a few years ago :) because hackers always push the boundaries, because "hacking" is about learning and progression. Experimentation is to be encouraged, and when your friend does something wrong - as Gandhi says "make sure you still support your friend, but not the mistake". 

--
Cheers,
@seem

[Krishnanand o.c]

I think the government can do something really nice regarding responsible disclosure. If it can bring an Act encouraging ethical hacking and responsible disclosure,it would be a a major change .

[Sandeep]

@Praveen - If you have not recieved any response yet from the website owner or vendor, I would say report that vulnerability to ke...@null.co.in by using the below template.

Vulnerability Title:

Vulnerability Description:

Vendor:

Has vendor been contacted (yes/no):

If yes, what was the response:

Exploit Details:

Is this reproducible:

Attachement names (if any):


Name:
Email Address:

Thanks

Sandeep                   

[null]

Ok we have a volunteer.

Thanks Vicky :). 

This needs serious thoughts on how to formulate the disclosure policy and put it at the right desk. We can read through the procedures that international organizations follow and see what applies in India and then put in the legal mumbo jumbo. I will look through some documents and send it over to you. mean while if you have any info or ideas just send it over to me.

Any other volunteers?

Broadly this is what we need

1. Finding existing documents and extracting relevant policies and procedures

2. Technical content writing

3. Legal content writing

4. Supporting Govt. officials

5. Supporting CISOs 

If we can get a draft ready before nullcon Delhi, we'll circulate it to the gov. folks and CXOs there and get their inputs and buy in

Cheers,

@

--
Cheers,
@seem

[Praveen kumar]

Hi Sandeep,

Thank you, I have mailed it to keeda.

[Vicky D Shah]

Thanks Aseem,

I took one session at Mumbai Null chapter titled "Know your Activities"

The focus was on role, responsibility, rights, liability, and compliance related for professionals working in the website audit and testing domain.

Under the domain of technicality penetration testing professional have a larger role to play. One cannot have excuse under the disguise of vulnerability testing or findings.

I have thought of a procedure and process under this and a mechanism as to how it should be addressed and handled. It may not b full proof but attempts to address and handle it in a matured way.

The Big issue or Main Problem is people want overnight recognition/appreciation for the vulnerability found. If they report at right channel and there is no response they loose patience and post the vulnerability in public. This will not be considered ethical and legal.

Not sure whether all sessions are finalised for Delhi Null Con but would like to cover the above session which I took in mumbai to change the perspective in this context.

Also, the focus and objective of disclosure or reporting should be on bringing the issues to the concern and addressing issues in a matured way.

Some companies take it positively others in a negative context.

Also, vulnerability if identified in accessing a site/portal is considered differently and one which is found under the permission is different. But, under the name of research and education one cannot cross the boundary.

Will try to prepare a document and make it open on google docs for contribution and inputs.

Regards,

Vicky Shah

Sent from BlackBerry®

---

From: null <gii...@gmail.com>

Sender: null-...@googlegroups.com

Date: Sun, 2 Sep 2012 17:13:35 +0530

To: <null-...@googlegroups.com>

ReplyTo: null-...@googlegroups.com

Subject: Re: [null] Law vs Ethics of Responsible vs irresponsible disclosure

[Dinesh O, Bareja]

Keeda has the proposition to work with CDRC and the same offer is made to the group members too. In the meanwhile CDRC will welcome a submission to cd...@jhpolice.gov.in - website vulnerabilities are communicated to owners (government / corporates / individuals) along with central agencies and followed up with for closure.