3

What are my responsibilities, as a developer, if I stumble upon a zero day exploit in a widely used third party piece of software?

Should the developer only tell the third party to limit the affect?

What if the third party doesn't come clean to all its user base, who else should be alerted?

What are the responsibilities of the third party software providers to alert their user base of vulnerabilities in their software?

DannyBoy
  • 39
  • 2
  • "What are my responsibilities, as a developer..." : exactly none. Your responsibilities start when you decide to take action. – Pieter B May 01 '14 at 14:56
  • I agree that if I was to ignore this that I would have no responsibility, but in my experience and I hope in yours @Pieter, ignoring atrocities can end in a holocaust and I will not stand by. – DannyBoy May 01 '14 at 15:30
  • 1
    The "zero" in zero day refers to the amount of time people have had to patch their systems before an exploit hits the wild. If the vulnerability is patched before it is exploited, by definition that's not zero day. – Karl Bielefeldt May 01 '14 at 15:43
  • @DannyBoy Do you really put software vulnerabilities up there with genocide? :) – Rotem May 01 '14 at 15:44
  • @Rotem, No but I figured that would make my point the best! :) – DannyBoy May 01 '14 at 15:46
  • @karl, it is no longer a zero day exploit but most of them start that way – DannyBoy May 01 '14 at 15:52
  • http://en.wikipedia.org/wiki/Godwins_law – DannyBoy May 01 '14 at 15:54

1 Answers1

2

Your question covers law, ethics and self preservation. I personally think in a perfect world you would tell the software producer and they should have two months to patch it after which you should submit it to a vulnerability database. The software producer should be receptive and grateful and possibly even work with you to patch the problem and test the patch.

Unfortunately, we don't live in a perfect world. Software companies have a tendency of seeing disclosure as an attack and have a tendency to sue. Even private disclosure carries risks.

What I would do is research how the company has acted in the past. If they reacted negatively I might submit the information anonymously and leave it at that. If they are more receptive I would get in contact with them and submit the information being as nonthreatening as possible, working with them to decided how to proceed.

I would avoid giving a hostile, litigious company my details and I would not advise just dropping it onto the internet.

Malachi
  • 608
  • 5
  • 18
Keith Loughnane
  • 139
  • 5
  • Thanks @keith for the good advice. In this case the company has released a patch but didn't advise the community as to the urgency/reason for the patch and it has been mostly ignored. – DannyBoy May 01 '14 at 14:44
  • I would contact them and ask them to release a notice. Once you've gone to them, unless you want to expose yourself to risk I wouldn't contact the users directly. Now this isn't necessarily the ethical answer but I think it's the pragmatic one. I wouldn't personally do this but if you weren't too worried about being sued and wanted a more ethical solution you could go to the community of users and notify them that there is a certain type of vulnerability out there, highlight the risks to put pressure on the company, maybe give them to timescale before it is released. I don't recommend that – Keith Loughnane May 01 '14 at 14:47