Hacker News new | past | comments | ask | show | jobs | submit login
Vulnerability Reporting Is Dysfunctional (freedom-to-tinker.com)
55 points by randomwalker 1 day ago | hide | past | web | favorite | 23 comments

Vulnerability reporting is still dysfunctional, but let's acknowledge that it's a lot less dysfunctional than it used to be. At the very least, none of the companies initiated criminal proceedings against the researchers for disclosing the vulnerabilities that they did.

I mean, this is well articulated, but it's also one of the best-known problems in computer security. Whole research projects have been done on this problem; I was (with presumably dozens of other researchers) recruited to work on one, where I was asked to stand up a fake security research firm and inquire about vulnerability reports.

A lot of people have burnt a lot of energy pointlessly on technical solutions to this (such as well-known URLs pointing to vulnerability report pages), but the fundamental problem is simply that most vendors don't know that they need to do something here, and until they're educated, nothing else will help them.

That's fair. We don't claim that this is a new problem; we are merely adding evidence and our perspective to a known problem. We do link to others who have reported similar problems when trying to disclose vulnerabilities. The sentence saying we "discovered two wider issues" was worded poorly; in the paper [1] we used the word "encountered", and I've now edited the post to use the same wording. Thanks!

Just as important, the post is a PSA that there are 9 websites whose users remain vulnerable, and people with accounts on these sites should check their 2FA and password recovery settings. The websites are: Amazon, AOL, Finnair, Gaijin, Mailchimp, PayPal, Venmo, Wordpress.com, and Yahoo.

[1] Link to paper: https://www.issms2fasecure.com/assets/sim_swaps-03-25-2020.p...

This is all just message board kibitzing! The blog post is good. I'm just conditioned by other message board threads on this problem. Thanks for writing it.

I also believe that some vendors choose not to do anything different such as Amazon.

The barrier to entry of re-education outside of SMS for a lot users is more expensive than the security itself.

Not trying to justify their actions, merely show that profits can explain some of these.

In your opinion, what does success look like in vendor education of properly handling of vulnerability reporting?

The dynamic is exemplified by The Formula.

" Narrator: A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."

Is there an aspect of this movie quote that does not apply to vulnerabilities?

Yes. There are no settlements to care about, so the total cost is always 0.

That's not true, e.g, Equifax.

Equifax settled for less than $425 million[1], once, but generally makes ~$2 billion in profit annually on ~$3.5 billion in revenue[2].

It might very well be true that $425 million is cheaper than it would have been for them to have better security practices, i.e., a metaphorical recall.

[1]: https://www.ftc.gov/enforcement/cases-proceedings/refunds/eq...

[2]: https://www.macrotrends.net/stocks/charts/EFX/equifax/gross-...

To pile on to that, there haven't been any ongoing consequences for Equifax as a result of the breach. They're still one of the "big 3" credit reporting bureaus. They're still used by lots of banks, mortgage originators, apartments owners, car dealerships, etc. to assess people's credit ratings.

This applies to other companies that have suffered large-scale data breaches. What were the consequences to Target, T.J. Maxx, or Home Depot for their data breaches? Did they suffer a meaningful loss in market share as a result of their lax security? Heck, I would be surprised today if many customers even remembered that these retailers had a data breach, much less factor that into their decision to shop at those places.

It's to the point where, if I see a publicly traded firm suffer a major data breach, I almost want to buy stock in it, knowing that the price will dip temporarily due to whatever one-time fees the firm pays out, but will rapidly return to pre-breach levels as consumers forget that the company leaked their personal information like a sieve.

Sure, I was just saying that such settlements do exist and that their costs are not zero.

There’s also bad publicity.

Bad publicity doesn't matter if it's not remembered. How many people remember Target's data breach? How many people remember Home Depot's data breach? What about T.J. Maxx? What about Sony's Playstation Network? What about Michael's [1]? Or P.F. Chang's [2]? Or IHG Hotels [3]?

At this point, it's easier to name companies that have not been breached.

And yet, despite every year bringing news of yet another breach of credit card data or other personal information, there are approximately zero long-term consequences. Consumers quickly forget, and are only reminded if they get a notice of a class-action settlement 5 or 6 years later for a paltry amount per customer.

[1]: https://www.nytimes.com/2014/04/19/business/michaels-stores-... [2]: https://www.usatoday.com/story/money/business/2014/06/13/pf-... [3]: https://www.reuters.com/article/us-hotels-cyber-idUSKCN10P0Z...

This equation is missing a term for lost sales due to damage to public image.

I never understood why vulnerability reporting was a social practice. The reason for that is because I see computer hacking in this particular context (breaking into computers or reversing binaries and cracking them) more or less equivalent to breaking into something physical, be it opening a box or breaking into a home.

But people don't go up to my home and say how they can break in. Nor do people go to companies and say "listen, if I go in here as some repair guy with a walky talky, security will let me right in! And then I switched into an office suit and talked to Janet at accounting, and she gave me your private financials by simply asking her. Train your reception and train Janet."

I understand that you want to keep open source software safe, because everyone is using it. So by helping it to be more secure, that's a win. But why isn't the same happening with companies in a physical sense? The public interacts with them.

Or are there 'vulnerability reports' (or whatever you call them) on those things? Then they're simply not posted here.

They do do that, if I understand correctly.

Penetration testing handles the physical security of the company. [DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! ](https://www.youtube.com/watch?v=JsVtHqICeKE)

Social Engineering [Hacking the Wetware: Compromising Companies with Social Engineering](https://www.youtube.com/watch?v=vujs9un-8no)

Hmm... interesting, I'm going to check that. Thanks!

Physical tests are done as well (phishing, social engineering)

What about vulnerabilities for exploding buildings, breaking in, pretending to be someone in the company, extortion or taking someone hostage?

The perspective I'm taking is the criminal one, not the cyber criminal one.

I suspect that there are organisations that deliberately design their reporting systems to prevent reporting.

This article covers some big name companies, there are others that are critical too: 1. National tax collection organisations. 2. Banks. That, in my experience, prevent the fixing of problems, with anti-useful reporting channels.

I've not yet found any third party it's sensible use for the reporting.

I think the original article should have a better title. The root issue was not in the reporting but that some of the companies involved honestly thought that it was OK to base their security all or in part on the security of wireless providers.

As is all the bug reporting. It should (and can) be easy as a click of a button, not requiring you to sign-up for a new account in another BugZilla instance or something.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact