Bounties: What to do with a high impact Drupal vulnerability?
Heine Mon, 2012/06/11 - 10:31
The security landscape is changing. There's been on and off talk about bounties for security vulnerabilities and some firms already buy vulnerabilities (SecuriTeam, ZDI). This also causes me to re-evaluate the value of a vulnerability.
Suppose I've recently found an arbitrary code execution vulnerability that could very likely be exploited on a large fraction of 400K+ Drupal sites.
What do you think I should do with it?
For the comments: What's your opinion on a security vulnerability bounty program?
Update: I've reported the vulnerability via SecuriTeam. It has been fixed with the release of Drupal 7.16. See SA-CORE-2012-003 for details.
Comments
Out of the box
Submitted by Roland van Ipenburg (not verified) on Sat, 2012/06/09 - 09:51Check if you're to blame for the vulnerability?
Write an exploit that fixes the problem?
Exploiting such a
Submitted by Heine on Mon, 2012/06/11 - 18:51Exploiting such a vulnerability is illegal.
illegal...where
Submitted by greggles (not verified) on Tue, 2012/06/12 - 23:41It's probably illegal in most countries, but maybe not all.
NL
Submitted by Heine on Sat, 2012/08/11 - 17:26It's illegal in the Netherlands which is my place of residence.
Follow the money
Submitted by Roland van Ipenburg (not verified) on Wed, 2012/06/13 - 09:43And it's not illegal to contribute code containing a vulnerability to a project. And then sell it to some firm. Welcome to the wonderful world of protection racket…
It depends
Submitted by tstoeckler (not verified) on Mon, 2012/06/11 - 14:03As a Drupal developer (or in broader terms: as someone who administers and/or is responsible for (a) Drupal site(s)), if you have found a vulnerability, you must assume that someone else may find that vulnerability as well. So the only way to ensure that your sites are not being exploited themselves is
A: Fix the vulnerability yourself
B: Report the vulnerability to the Security team
In general, the Security team will have more expertise in this area than you have yourself, so B is really the only sensible thing to do.
As a hacker, though, who does not have any affiliation with Drupal specifically, this incentive does not apply. These are the people we can (and, in my opinion, should) animate to do the right thing with a bounty.
I'd take care of A first of
Submitted by Heine on Mon, 2012/06/11 - 18:48I'd take care of A first of course.
I'm afraid that what motivates people without a Drupal-affiliation might destroy the motivation of others to report vulns without such compensation.
Suppose you hear rumors that a "pwn2own" type of contest is coming. Why then submit the vuln now, when waiting for a few weeks could get you a Lumia 900 or an iPhone?
There is only one ethical option...
Submitted by juliangb (not verified) on Mon, 2012/06/11 - 14:19If someone has found an exploit, the only honest option available is to report it using the correct channels.
That said, some people are not honest, and some people will search more vigorously if there is a bounty. For those reasons, I think some sort of bounty system is useful, as long as there is no disincentive to writing secure code in the first place.
You should probably report to
Submitted by Anonymous (not verified) on Mon, 2012/06/11 - 15:18You should probably report to the Drupal security team immediately as that would be the 'proper' way.
Having a bug-bounty program would be a 'nice' way for making money thought Drupal but this means also the bounty team must be very keen to process the bounty requests too. Thus probably getting paid as well.
This could create split personality for ie core contributors doing volunteering work while Security contributors get paid.
I feel that in the open
Submitted by Laura (not verified) on Mon, 2012/06/11 - 15:56I feel that in the open source commons, security issues should be reported to the designated security team (unless the project in question doesn't have one). If a company is offering a bounty, and the Drupal team solves the issue, would it win the bounty? Could this be a way to help underwrite Drupal security team efforts?
In most bountry programs the
Submitted by Heine on Mon, 2012/06/11 - 18:50In most bountry programs the bounty goes to the reporter, not the people solving it. So, not only could 'free' reporters be pressured into reporting for a bounty, the actual fixers might also get demotivated, especially in a volunteer-driven project.
If we're discussing this in
Submitted by Anonymous (not verified) on Wed, 2012/06/13 - 16:36If we're discussing this in the abstract it's worth noting that some people will pay more depending on things like the quality of the report (how clear it is, whether it contains a suitable fix, how damaging it is) so some programs are designed to reduce the effort of the software maintainers.
Hi Heine,
Submitted by Gaele (not verified) on Thu, 2012/06/14 - 10:02Hi Heine,
1. Report to the Drupal security team
2. Get the credit
3. Increase your hourly rate
You could blog about it in detail once the vulnerability is fixed.