Vulnarb.com: A New Approach to Security Disclosures
Zed Shaw yesterday unveiled Vulnarb.com, an experimental project to improve the process of responsible security vulnerability disclosure. Today, security researchers have two choices: contact the developers about a vulnerability and wait for them to fix it, or publish the vulnerability for the world to see. Both of these solutions have flaws. Users may be unaware that the products they use have vulnerabilities if it isn’t publicly disclosed, but public disclosure could make them even more vulnerable to exploitation.
Shaw’s plan is to create a public repository of security vulnerabilities. The specifics of the vulnerability will be encrypted and provided only to the company or developers behind a product. The public will know what products have vulnerabilities, but not what the specific vulnerabilities are. Companies or researches can then disclose the vulnerability once it’s been fixed.
“The goal is to provide a market incentive for companies to fix security holes, rather than the current situation where they can sit on them legally for years,” Shaw writes.
They key to making this work is the encryption. If a researcher posts an inaccurate vulnerability, the developers will be able to decrypt the alleged vulnerability and make it public to clear their names.
Here’s how it would work, according to Shaw:
- Giving researchers tools to upload SSL public key encrypted vulnerability descriptions, which only the SSL private key holders can decrypt.
- Consumers then can go see which companies and products have vulnerabilities, but not actually know what those vulnerabilities are until the company fixes them.
- Once the company fixes their product, they can upload the decrypted files to prove they fixed it.
- If they don’t it’s assumed they haven’t fixed it.
- If the researcher lies then they’ll easily be exposed by just decrypting their lies for everyone to see.
At the moment, the project is in its earliest stages. Shaw is looking for people to test the viability of his plan to use a company’s website’s SSL certificate as a public key. Those interested can contact Shaw through Twitter.
Photo credit: Circo de Invierno.