Responsible Disclosure For Dummies

How responsible is responsible disclosure, really? A case study.

People following such minute ripples in the Web continuum may have noticed the surfacing of a vulnerability announcement for a bit of Apple software, which was published by Tipping Point Security. The flaw was present in CUPS, the default print server used in OS X. More precisely, a programming error (improper input validation) in the Hewlett Packard Graphics Language filter resulted in a memory overwrite which in turn could be used to run arbitrary code on the affected system with the privileges of the process in question.

Quoth Apple: “If Printer Sharing is enabled on a vulnerable machine, a remote attacker may be able to cause arbitrary code execution with the privileges of the ‘lp’ user”. Of course, sharing a printer is about 95% of what CUPS does, so the other scenario (which leads to a mere local privilege escalation) would be quite rare.

The error and its fix were published simultaneously, thanks to an agreement reached between Tipping Point and Apple Inc. According to Tipping Point, the vulnerability was reported to Apple on 2008-08-19 and fixed almost two months later on 2008-10-09 and made public the following day.

Tipping Point Security manages the zero-day initiative, a program through which security researchers are encouraged to share the results of their research with Tipping Point alone, for a fee, (www.zerodayinitiative.com/about/benefits/) so that Tipping Point can in turn contact the vendor of the associated software privatim, as well as create exploit signatures for its protection software and, later, notify other security firms of its choice.

To sum this up, Tipping Point paid someone for the vuln, then updated its product (and only its product), notifying Apple as well. Apple proceeded to sit on the vulnerability for two months, finally releasing a fix as part of their regular update schedule. During this time, everyone except people paying the Tipping Point protection tax (Tipping Point clients individual clients and security companies) were vulnerable, with the added benefit that the flaw was now known not to just one security researcher, but also, certainly, to a number of Tipping Point and Apple employees and possibly to certain others in the security industry. One can safely surmise that the circle of people in the know, once widened past five persons or so, contained some of the closest friends and family of the people listed above, as well as a few random onlookers.

This disclosure model is called, in Tipping Point parlance, “responsible disclosure”. I call it a system made to benefit the people with the most money and least moral qualms – and no-one else.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.