Heine

  • Home
  • Drupal
  • About
Home

Bounties: What to do with a high impact Drupal vulnerability?

Heine —Mon, 2012/06/11 - 10:31

The security landscape is changing. There's been on and off talk about bounties for security vulnerabilities and some firms already buy vulnerabilities (SecuriTeam, ZDI). This also causes me to re-evaluate the value of a vulnerability.

Suppose I've recently found an arbitrary code execution vulnerability that could very likely be exploited on a large fraction of 400K+ Drupal sites.

What do you think I should do with it?

For the comments: What's your opinion on a security vulnerability bounty program?

Update: I've reported the vulnerability via SecuriTeam. It has been fixed with the release of Drupal 7.16. See SA-CORE-2012-003 for details.

Report to the Drupal security team
91% (78 votes)
Wait for a bug-bounty program, then report
5% (4 votes)
Sell to the highest bidder
3% (3 votes)
Other (please comment)
1% (1 vote)
Total votes: 86
  • Drupal
  • Security
  • Planet Drupal

Comments

Out of the box

Submitted by Roland van Ipenburg (not verified) on Sat, 2012/06/09 - 09:51

Check if you're to blame for the vulnerability?
Write an exploit that fixes the problem?

Exploiting such a

Submitted by Heine on Mon, 2012/06/11 - 18:51

Exploiting such a vulnerability is illegal.

illegal...where

Submitted by greggles (not verified) on Tue, 2012/06/12 - 23:41

It's probably illegal in most countries, but maybe not all.

NL

Submitted by Heine on Sat, 2012/08/11 - 17:26

It's illegal in the Netherlands which is my place of residence.

Follow the money

Submitted by Roland van Ipenburg (not verified) on Wed, 2012/06/13 - 09:43

And it's not illegal to contribute code containing a vulnerability to a project. And then sell it to some firm. Welcome to the wonderful world of protection racket…

It depends

Submitted by tstoeckler (not verified) on Mon, 2012/06/11 - 14:03

As a Drupal developer (or in broader terms: as someone who administers and/or is responsible for (a) Drupal site(s)), if you have found a vulnerability, you must assume that someone else may find that vulnerability as well. So the only way to ensure that your sites are not being exploited themselves is
A: Fix the vulnerability yourself
B: Report the vulnerability to the Security team
In general, the Security team will have more expertise in this area than you have yourself, so B is really the only sensible thing to do.

As a hacker, though, who does not have any affiliation with Drupal specifically, this incentive does not apply. These are the people we can (and, in my opinion, should) animate to do the right thing with a bounty.

I'd take care of A first of

Submitted by Heine on Mon, 2012/06/11 - 18:48

I'd take care of A first of course.

I'm afraid that what motivates people without a Drupal-affiliation might destroy the motivation of others to report vulns without such compensation.

Suppose you hear rumors that a "pwn2own" type of contest is coming. Why then submit the vuln now, when waiting for a few weeks could get you a Lumia 900 or an iPhone?

There is only one ethical option...

Submitted by juliangb (not verified) on Mon, 2012/06/11 - 14:19

If someone has found an exploit, the only honest option available is to report it using the correct channels.

That said, some people are not honest, and some people will search more vigorously if there is a bounty. For those reasons, I think some sort of bounty system is useful, as long as there is no disincentive to writing secure code in the first place.

You should probably report to

Submitted by Anonymous (not verified) on Mon, 2012/06/11 - 15:18

You should probably report to the Drupal security team immediately as that would be the 'proper' way.

Having a bug-bounty program would be a 'nice' way for making money thought Drupal but this means also the bounty team must be very keen to process the bounty requests too. Thus probably getting paid as well.

This could create split personality for ie core contributors doing volunteering work while Security contributors get paid.

I feel that in the open

Submitted by Laura (not verified) on Mon, 2012/06/11 - 15:56

I feel that in the open source commons, security issues should be reported to the designated security team (unless the project in question doesn't have one). If a company is offering a bounty, and the Drupal team solves the issue, would it win the bounty? Could this be a way to help underwrite Drupal security team efforts?

In most bountry programs the

Submitted by Heine on Mon, 2012/06/11 - 18:50

In most bountry programs the bounty goes to the reporter, not the people solving it. So, not only could 'free' reporters be pressured into reporting for a bounty, the actual fixers might also get demotivated, especially in a volunteer-driven project.

If we're discussing this in

Submitted by Anonymous (not verified) on Wed, 2012/06/13 - 16:36

If we're discussing this in the abstract it's worth noting that some people will pay more depending on things like the quality of the report (how clear it is, whether it contains a suitable fix, how damaging it is) so some programs are designed to reduce the effort of the software maintainers.

Hi Heine,

Submitted by Gaele (not verified) on Thu, 2012/06/14 - 10:02

Hi Heine,

1. Report to the Drupal security team
2. Get the credit
3. Increase your hourly rate

You could blog about it in detail once the vulnerability is fixed.

Recent posts

  • Teampassword manager's password generator is biased
  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About