In Depth

Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

By Scott Berinato

January 01, 2007CSO

Last February at Purdue University, a student taking "cs390s—Secure Computing" told his professor, Dr. Pascal Meunier, that a Web application he used for his physics class seemed to contain a serious vulnerability that made the app highly insecure. Such a discovery didn't surprise Meunier. "It's a secure computing class; naturally students want to discover vulnerabilities."

They probably want to impress their prof, too, who's a fixture in the vulnerability discovery and disclosure world. Dr. Meunier has created software that interfaces with vulnerability databases. He created ReAssure, a kind of vulnerability playground, a safe computing space to test exploits and perform what Meunier calls "logically destructive experiments." He sits on the board of editors for the Common Vulnerabilities and Exposures (CVE) service, the definitive dictionary of all confirmed software bugs. And he has managed the Vulnerabilities Database and Incident Response Database projects at Purdue's Center for Education and Research in Information and Assurance, or Cerias, an acronym pronounced like the adjective that means "no joke."

When the undergraduate approached Meunier, the professor sensed an educational opportunity and didn't hesitate to get involved. "We wanted to be good citizens and help prevent the exploit from being used," he says. In the context of vulnerable software, it would be the last time Meunier decided to be a good citizen.

Meunier notified the authors of the physics department application that one of his students—he didn't say which one—had found a suspected flaw, "and their response was beautiful," says Meunier. They found, verified and fixed the bug right away, no questions asked.

But two months later, in April, the same physics department website was hacked. A detective approached Meunier, whose name was mentioned by the staff of the vulnerable website during questioning. The detective asked Meunier for the name of the student who had discovered the February vulnerability. The self-described "stubborn idealist" Meunier refused to name the student. He didn't believe it was in that student's character to hack the site and, furthermore, he didn't believe the vulnerability the student had discovered, which had been fixed, was even connected to the April hack.

The detective pushed him. Meunier recalls in his blog: "I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student." Meunier's stomach knotted when some of his superiors sided with the detective and asked him to turn over the student. Meunier asked himself: "Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?" Later, Meunier recast the downward spiral of emotions: "I was miffed, uneasy, disillusioned."

Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

IT productivity challenges: Google survey results

GoogleIn this webcast, Google reveals results from a survey of message security and compliance priorities and concerns. Download a free copy of the survey report after registering.

» Watch the Webcast

Featured Sponsors
Sponsored Links

Secure your virtual and physical environments with the same software.

This whitepaper describes how you can test your Web applications with virtualization

Visit the RSA resource center and learn more about the Payment Card Industry (PCI).

A Guide to Providing Proactive Protection to Consumer Online Transactions

Configuration Audit and Control for Virtualized Environments

White Paper: Use DAM technology when there is a need for granular monitoring.

White Paper: Learn why Managing MIPS is a better approach to controlling IT costs

White Paper: Gain insights and recommendations on how to reduce the risk

This white paper presents document security strategies and best practices

Tripwire and Visible Ops: A Four-Phase Approach to Instituting Change Management

IT Service Management: Metrics That Matter

Webcast session: how to improve the business value of your outsourcing relationship

Compliance: Moving From Mandate to Differentiator White Paper

Webcast: Best practices in application security: How do you stack up?

Read The Evolution of Application Security in Online Banking White Paper

Eliminate network threats and downtime with Juniper Networks. View demo

Learn the latest developments in data security and compliance at CEIC 2008

Webcast: learn results from an annual Google message security survey of 575 global IT professionals

White Paper: Network Security Redefined - Identity Aware Networking

White Paper: Learn about the three requirements of network-based security

This white paper will help you perform a pragmatic security gap analysis

This white paper evaluates the scope and nature of web and email related threats

Proving Control of the Infrastructure

White Paper: Learn how to use Adaptec(R) Snap Server(TM) with MOBOTIX IP Network Cameras

White Paper: Learn more about how you can use compliance as a means of competitive differentiation.