Software doesn’t age well. Respectable software vendors devote noticeable resources in redesigning and rewriting their software just to keep up with evolving threats. However, things haven’t always been like that. Just two decades ago, automatic updates and scheduled patches were an alien concept and software manufacturers actively fought against the security researchers who tried to find and report vulnerabilities. With the recent emergence of embedded software and the Internet of Things, It seems that there is no reason to take the gains in vulnerability handling for granted. It is perhaps time to take a look back to remind us what a mess we thought we had already left behind us.
Feature, bug, vulnerability
Vulnerabilities are a special breed of bugs: they are software errors that can cause security issues. Fixing a bug is rather straightforward: investigate, fix, and deliver the fixed product. With vulnerabilities, there are bigger things at stake: the end users’ security. There is a point to working on the fixes behind a veil of secrecy: the potential attackers should not be given prior knowledge about the ways to exploit the weakness before there is a fix available. On the other hand, once the fix has been made available, there is a pronounced need to inform the end users so that they can update before the attackers have time to produce exploits and launch attacks.
IoT is 20 years behind in its security mindset
Now that the whole automotive industry, toaster manufacturers, and baby monitor vendors have found their inner desire to become software companies and produce Internet-connected devices, it would be a good time to remind them what kind of unwanted behavioral traits the rest of the software-producing community has left behind and to encourage the IoT vendors not to repeat the same mistakes.
I present to you the Seven Bad Habits of a Software Vendor: a gallery of misguided responses to software vulnerability reports.
Bug Bounty Programs
F-Secure introduced its renewed vulnerability reward program this Monday. The basic idea behind these so-called bug bounty programs is to encourage security researchers to not only share their findings with the vendor so that they can fix the bugs, but also to reward them for taking the time to do the vendor’s job. While we here at F-Secure continuously test our own products, we know that there are going to be ways to attack our code that we have never imagined.
While we have always been open to bug submissions, we feel there is need to encourage and support the researchers in a concentrated effort across all our product lines. In our new program, we for instance specifically grant the researchers a permission to reverse-engineer our own code for the purpose of finding vulnerabilities.
We encourage all software vendors to take a serious look into the benefits of Bug Bounty Programs. F-Secure is also hosting similar programs for other organizations, so please contact us for more information. There are also two ISO standards (as discussed here and here) that discuss the recommended procedures for coordinated vulnerability disclosure.
A version of this article first appeared (in Finnish) in 2009 on tivi.fi.