The Month of Selfish Publicity Hogging

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Opinion: The consensus is that the "Month of XXX Bugs" disclosures are just publicity stunts.

Security research, like any business, is competitive, and everyone's looking for some new angle. One of the hottest angles out is the "Month of XXX Bugs" phenomenon, where XXX is whatever product you're picking on.

Normal people are usually perplexed at the idea of so-called "good guys" publicizing bugs in other people's products, especially security vulnerabilities. The security crowd is more forgiving of the problems with this practice because they appreciate the value in knowing about the bugs.

But the Month of XXX Bugs phenomenon—from which we've already seen a Month of Browser Bugs and a Month of Kernel Bugs and are now in the middle of a Month of Apple Bugs—is arguably different.

Well-known security researcher Thomas Ptacek of Matasano Security wanted to know what the security research community thought of these efforts and asked a collection of researchers he knew. He posted the responses in a blog entry.

Apple has been a favorite target. Many in the Month of Kernel Bugs were Apple bugs. Click here to read more.

Marc Maifrett, CTO of eEye, makes the important point that a large number of these bugs are just bugs. Comparatively few are demonstrable vulnerabilities, although many are potential vulnerabilities, in the sense that they crash the program and it's hard to demonstrate that the crash is not exploitable.

These large numbers of bugs are the fruit of fuzzing, a testing technique in which outside test software randomly or semi-randomly generates input to the program under test. This stresses the program in ways probably unforeseen by its developers, exposing crashes and other bad behavior.

Maifrett's bigger point is spot on, that there is nothing objectionable about publicity-hounding efforts like this if you do the disclosure responsibly. You need to tell the vendor in advance and give them an honest chance to confirm the bug and issue a patch, if they see fit. This is how eEye operates, and they are responsible for a good number of important vulnerability discoveries; in the time between the discovery and the patch they get to protect their own customers, which is a big part of their business case.

If, instead, you disclose zero-day vulnerabilities without giving anyone any warning, you are doing more than just hogging publicity—you are harming the interests of innocent third parties. What can be said other than "shame on you" for doing it. But so far there have been few real crises from the "Month of" campaigns.

HD Moore of BreakingPoint Systems thinks it's a good thing, but that's not surprising since he ran the Month of Browser Bugs (by far the most interesting month) and has participated in others. I disagree with him; I don't think that irresponsible disclosure such as his has helped users or vendors any more than responsible disclosure would.

Finally, I also have to agree with Tim Newsham, listed as a security researcher and Haskell advocate: As much as these "Month of" efforts offend me with their no-notice policies, I can't help but follow them. Perhaps they're the tabloid journalism of the security business.

And like most tabloid journalism, most of the bugs are of no real consequence to real people.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...