Vulnerability Researchers: Friends or Foes?
I’ve been in the field of information security for quite a while now, and I’ve seen quite a few trends over the years. One very noticeable trend has been the increased importance of vulnerability information. In the mid 1980’s there was relatively little emphasis on vulnerabilities other than password-related vulnerabilities. Why? For one thing, obtaining remote access was much more difficult then. PCs were just starting to become popular, and a large proportion of them were not even connected to local, let alone global networks. Unix and Windows operating systems, in which huge numbers of vulnerabilities have been found over the years, were not all that widely used at that time, and mainframes on which comprehensive, effective security tools such as RACF and ACF2 were widely deployed to greatly reduce the likelihood of security breaches more or less reigned. Additionally, the “hacker” community then was much better behaved; there was a widely shared ethic that you broke into systems only to “use spare cycles,” i.e., to gain computer access that no one else was using, and that systems accessed in this manner should not be harmed or changed in any way.
How things have changed. Vulnerability information has gotten more than its share of the spotlight over the last decade or so. With the increased emphasis on vulnerabilities has emerged a class of individuals who spent a good deal of their time attempting to discover new vulnerabilities. The reward initially consisted mostly of achieving self-satisfaction and also of gaining fame and recognition, but as time went on economic profit started to become a bigger and bigger motive. Organizations were willing to pay to obtain information concerning new vulnerabilities, a quite understandable development given that the time lag between the time that the black hat world knows about a vulnerability and the time that a patch or workaround becomes available translates to greatly elevated susceptibility to new and potentially deadly attacks.
So today there are many so-called vulnerability researchers. Many of them are at universities, others are within the black hat community, while still others work for a variety of organizations or are self-employed. Are these researchers friends or foes? The answer is that it depends. By discovering and reporting vulnerabilities to the public before a fix is available, they definitely are foes from an information security perspective. If they on the other hand discover vulnerabilities, but report each only to the vendor that owns the software in which the vulnerability has been found until a fix is ready, they are friends. The problem with the latter, however, is that achieving fame and profiting from discovering a vulnerability is much less likely. A large percentage of the vulnerability research community thus not surprisingly disseminates information about vulnerabilities to those who will purchase it, to select groups of friends and colleagues, and often at some point in time also at conferences where speakers who announce new vulnerabilities too often do unconscionable grandstanding acts. Frankly, in my value system someone who can actually go out and practice information security efficiently and competently is making a far bigger contribution than someone who just discovers vulnerabilities. In fact, I know some vulnerability researchers who are so wrapped up in their perceived self-importance that they honestly believe they are the cream of the crop within the information security arena. This is truly laughable—I have a lot of respect for the skill, knowledge and intelligence that good vulnerability researchers possess, but there are very, very few of them who are qualified to hold a position within an information security practice.
For the most part I feel that vulnerability research, while extremely interesting and sometimes also very useful (e.g., when done by a software vendor as a kind of quality assurance activity), has hurt us more than it has helped us. Those who can exploit vulnerabilities get hold of this information earlier than those charged with defending computing resources, as shown by the ever increasing number of zero-day exploits. Pandora’s Box has been opened, and, unfortunately, there is no going back. The die has been struck. The real question, then, is no more whether vulnerability researchers are friends or foes; it is instead what can be done to minimize the negative impact that the discovery of so many vulnerabilities. Additionally, one of the best things that can be done is to exert more pressure on vendors to produce software that contains far fewer vulnerabilities. Vulnerability-free or nearly vulnerability-free software would greatly reduce security-related computing risks. Vulnerability research would become a relatively obscure area, and the brain power that is so prevalent within this area could be used for other, more constructive purposes.