From a company's perspective, there are a couple variations on this cat and mouse theme.
Good:
- Programmer writes software
- Good guy discovers a vulnerability and lets the company know
- Company fixes vulnerability, possibly lets world know that disaster was averted
Bad:
- Programmer writes software
- Bad guy discovers a vulnerability and either a.) uses it for nefarious purposes or b.) tells the world about it.
- Upon discovery, company looks bad in the press and scrambles around to fix problem and mitigate damage
Nobody wants bad publicity and so companies strongly prefer the "good" scenario. For the most part, security researchers are willing to play nicely with vendors to give them some breathing space to fix problems. Some security researchers, however, are more inclined to do full public disclosure early on.
Companies generally appreciate researchers who spot and report security vulnerabilities--they are, after all, preempting the potential bad guys. What companies don't like is when volunteer researchers start digging too deeply into networked systems. Past a certain threshold, certain types of research start looking less less like "help" and more like "attack."
Security researchers who find vulnerabilities via aggressive means may have good intentions, but can be impossible to differentiate from an attacker. Similarly, certain kinds of probing could potentially bring down systems. This has caused some companies to unfairly sue or prosecute legitimate vulnerability reporters. This causes a chilling effect, and makes us all less secure. Who wants to risk a lawsuit or jail time just to help out some random company when all you may get in return is the possibility of a citation in the public disclosure document? How do you know what a company views as appropriate and won't try to sue or jail you for?
Well, Paypal has adopted a new policy that outlines clearly what they view as acceptable disclosure. That part is pretty typical. However, Paypal has taken the extra (and I believe unique) step of pledging not to sue you or turn you over to law enforcement for reporting vulnerabilities to them--provided that you do so responsibly.
Quoth the Paypal:
To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.
Okay, disclosure time--I really like this policy because it recognizes the value that security reporting gives to companies. I also like it because my brother-in-law had a hefty part in creating this policy. I think it's definitely a step in the right direction.
This puts me in an odd position. Being that it's my brother-in-law, I'm pretty confident that the motivations behind this are genuine. I do, however, still have some reservations about this. Let me reprint that disclaimer again with my own emphasis:
To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.
In this case, there is still no 3rd party arbiter of what was an appropriate disclosure. Though I personally am utterly convinced that Paypal's heart is in the right place on this one, it probably wouldn't much influence my decision to disclose a vulnerability.
From my perspective, the problem is that I know of no established legal litmus test for what is prosecutable and what is not. Furthermore, I have very little faith in the justice system to understand the technical differences between genuinely helping out, and being a big bad hacker. This isn't Paypal's fault, it's just the way things are.
Still, Paypal deserves some serious credit here. They are, as far as I know, the first big company of its type to publicly recognize the value of this responsible disclosure by promising not to sue or call the cops. I sincerely hope that other companies will follow suit and lay out their standards for acceptable disclosure--and also pledge to be good guys. With enough consensus throughout the industry, I hope that robust legal protections will follow.
