
Vulnerability Reporting Is Dysfunctional - randomwalker
https://freedom-to-tinker.com/2020/03/25/vulnerability-reporting-is-dysfunctional/
======
quanticle
Vulnerability reporting is still dysfunctional, but let's acknowledge that
it's a lot _less_ dysfunctional than it used to be. At the very least, none of
the companies initiated criminal proceedings against the researchers for
disclosing the vulnerabilities that they did.

------
tptacek
I mean, this is well articulated, but it's also one of the best-known problems
in computer security. Whole research projects have been done on this problem;
I was (with presumably dozens of other researchers) recruited to work on one,
where I was asked to stand up a fake security research firm and inquire about
vulnerability reports.

A lot of people have burnt a lot of energy pointlessly on technical solutions
to this (such as well-known URLs pointing to vulnerability report pages), but
the fundamental problem is simply that most vendors don't know that they need
to do something here, and until they're educated, nothing else will help them.

~~~
randomwalker
That's fair. We don't claim that this is a new problem; we are merely adding
evidence and our perspective to a known problem. We do link to others who have
reported similar problems when trying to disclose vulnerabilities. The
sentence saying we "discovered two wider issues" was worded poorly; in the
paper [1] we used the word "encountered", and I've now edited the post to use
the same wording. Thanks!

Just as important, the post is a PSA that there are 9 websites whose users
remain vulnerable, and people with accounts on these sites should check their
2FA and password recovery settings. The websites are: Amazon, AOL, Finnair,
Gaijin, Mailchimp, PayPal, Venmo, Wordpress.com, and Yahoo.

[1] Link to paper:
[https://www.issms2fasecure.com/assets/sim_swaps-03-25-2020.p...](https://www.issms2fasecure.com/assets/sim_swaps-03-25-2020.pdf)

~~~
tptacek
This is all just message board kibitzing! The blog post is good. I'm just
conditioned by other message board threads on this problem. Thanks for writing
it.

------
motohagiography
The dynamic is exemplified by The Formula.

" Narrator: A new car built by my company leaves somewhere traveling at 60
mph. The rear differential locks up. The car crashes and burns with everyone
trapped inside. Now, should we initiate a recall? Take the number of vehicles
in the field, A, multiply by the probable rate of failure, B, multiply by the
average out-of-court settlement, C. A times B times C equals X. If X is less
than the cost of a recall, we don't do one."

Is there an aspect of this movie quote that does not apply to vulnerabilities?

~~~
marcosdumay
Yes. There are no settlements to care about, so the total cost is always 0.

~~~
mandelbrotwurst
That's not true, e.g, Equifax.

~~~
loeg
Equifax settled for less than $425 million[1], once, but generally makes ~$2
billion in profit annually on ~$3.5 billion in revenue[2].

It might very well be true that $425 million is cheaper than it would have
been for them to have better security practices, i.e., a metaphorical recall.

[1]: [https://www.ftc.gov/enforcement/cases-
proceedings/refunds/eq...](https://www.ftc.gov/enforcement/cases-
proceedings/refunds/equifax-data-breach-settlement)

[2]:
[https://www.macrotrends.net/stocks/charts/EFX/equifax/gross-...](https://www.macrotrends.net/stocks/charts/EFX/equifax/gross-
profit)

~~~
quanticle
To pile on to that, there haven't been any ongoing consequences for Equifax as
a result of the breach. They're still one of the "big 3" credit reporting
bureaus. They're still used by lots of banks, mortgage originators, apartments
owners, car dealerships, etc. to assess people's credit ratings.

This applies to other companies that have suffered large-scale data breaches.
What were the consequences to Target, T.J. Maxx, or Home Depot for their data
breaches? Did they suffer a meaningful loss in market share as a result of
their lax security? Heck, I would be surprised today if many customers even
_remembered_ that these retailers had a data breach, much less factor that
into their decision to shop at those places.

It's to the point where, if I see a publicly traded firm suffer a major data
breach, I almost want to _buy_ stock in it, knowing that the price will dip
temporarily due to whatever one-time fees the firm pays out, but will rapidly
return to pre-breach levels as consumers forget that the company leaked their
personal information like a sieve.

------
mettamage
I never understood why vulnerability reporting was a social practice. The
reason for that is because I see computer hacking in this particular context
(breaking into computers or reversing binaries and cracking them) more or less
equivalent to breaking into something physical, be it opening a box or
breaking into a home.

But people don't go up to my home and say how they can break in. Nor do people
go to companies and say "listen, if I go in here as some repair guy with a
walky talky, security will let me right in! And then I switched into an office
suit and talked to Janet at accounting, and she gave me your private
financials by simply asking her. Train your reception and train Janet."

I understand that you want to keep open source software safe, because everyone
is using it. So by helping it to be more secure, that's a win. But why isn't
the same happening with companies in a physical sense? The public interacts
with them.

Or are there 'vulnerability reports' (or whatever you call them) on those
things? Then they're simply not posted here.

~~~
will_pseudonym
They do do that, if I understand correctly.

Penetration testing handles the physical security of the company. [DEFCON 19:
Steal Everything, Kill Everyone, Cause Total Financial Ruin!
]([https://www.youtube.com/watch?v=JsVtHqICeKE](https://www.youtube.com/watch?v=JsVtHqICeKE))

Social Engineering [Hacking the Wetware: Compromising Companies with Social
Engineering]([https://www.youtube.com/watch?v=vujs9un-8no](https://www.youtube.com/watch?v=vujs9un-8no))

~~~
mettamage
Hmm... interesting, I'm going to check that. Thanks!

------
MikeGale
I suspect that there are organisations that deliberately design their
reporting systems to prevent reporting.

This article covers some big name companies, there are others that are
critical too: 1\. National tax collection organisations. 2\. Banks. That, in
my experience, prevent the fixing of problems, with anti-useful reporting
channels.

I've not yet found any third party it's sensible use for the reporting.

------
upofadown
I think the original article should have a better title. The root issue was
not in the reporting but that some of the companies involved honestly thought
that it was OK to base their security all or in part on the security of
wireless providers.

------
qwerty456127
As is all the bug reporting. It should (and can) be easy as a click of a
button, not requiring you to sign-up for a new account in another BugZilla
instance or something.

