Software Vulnerability Disclosure: The Chilling Effect
How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal
January 01, 2007 — CSO —
Last February at Purdue University, a student taking "cs390s—Secure Computing" told his professor, Dr. Pascal Meunier, that a Web application he used for his physics class seemed to contain a serious vulnerability that made the app highly insecure. Such a discovery didn't surprise Meunier. "It's a secure computing class; naturally students want to discover vulnerabilities."
They probably want to impress their prof, too, who's a fixture in the vulnerability discovery and disclosure world. Dr. Meunier has created software that interfaces with vulnerability databases. He created ReAssure, a kind of vulnerability playground, a safe computing space to test exploits and perform what Meunier calls "logically destructive experiments." He sits on the board of editors for the Common Vulnerabilities and Exposures (CVE) service, the definitive dictionary of all confirmed software bugs. And he has managed the Vulnerabilities Database and Incident Response Database projects at Purdue's Center for Education and Research in Information and Assurance, or Cerias, an acronym pronounced like the adjective that means "no joke."
When the undergraduate approached Meunier, the professor sensed an educational opportunity and didn't hesitate to get involved. "We wanted to be good citizens and help prevent the exploit from being used," he says. In the context of vulnerable software, it would be the last time Meunier decided to be a good citizen.
Meunier notified the authors of the physics department application that one of his students—he didn't say which one—had found a suspected flaw, "and their response was beautiful," says Meunier. They found, verified and fixed the bug right away, no questions asked.
But two months later, in April, the same physics department website was hacked. A detective approached Meunier, whose name was mentioned by the staff of the vulnerable website during questioning. The detective asked Meunier for the name of the student who had discovered the February vulnerability. The self-described "stubborn idealist" Meunier refused to name the student. He didn't believe it was in that student's character to hack the site and, furthermore, he didn't believe the vulnerability the student had discovered, which had been fixed, was even connected to the April hack.
The detective pushed him. Meunier recalls in his blog: "I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student." Meunier's stomach knotted when some of his superiors sided with the detective and asked him to turn over the student. Meunier asked himself: "Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?" Later, Meunier recast the downward spiral of emotions: "I was miffed, uneasy, disillusioned."