Earlier this week Oracle’s CSO released a blog post that talked about why people should stop looking for vulnerabilities in their software products. Needless to say, this did not go down well with the security community – and the post was soon taken down with a statement from the company adding that the post “does not reflect our beliefs or our relationship with our customers.”
Security through obscurity doesn’t work, and that is what Oracle’s CSO was in effect promoting when it comes to vulnerabilities. On the other hand… she might have had a point if they were talking about people who look for vulnerabilities to sell vulnerabilities, or to use them in attack code (like the zero-day we recently found as part of Pawn Storm.)
Of course, we informed Oracle about this vulnerability before we published the blog post. Our initial entry was deliberately vague in order to prevent less-informed attackers from learning details about the vulnerability. As we saw actual attacks, however, we released a more detailed entry that showed how the exploit worked. Amusingly, the attacker behind the initial usage of this zero-day took offense to our earlier reporting: they added one of our domains (trendmicro.eu) into their attack code. As we believe in transparency, we talked about this as well.
In short, if Oracle had criticized those who make money and endanger the safety of users, then maybe any post would have been better received. The vulnerability business model where cybercriminals, “researchers”, and nation-states buy and sell vulnerabilities isn’t good for anybody… except those who are already part of that “market”.
Trend Micro discovers and reports many vulnerabilities every year, even though it is not our company’s primary focus. I believe that we need to look at the bigger picture: why do security companies look for vulnerabilities, why do we follow responsible disclosure, and why we are against selling and buying vulnerabilities.
Why it is important to detect and fix vulnerabilities?
Companies should be pleased if legitimate researchers like Trend Micro detect vulnerabilities – and we have had companies that were glad for the help. Any researcher that abides by responsible disclosure should be welcomed by developers.
We make our money by protecting our customers – the moment we know about a new vulnerability we use this knowledge to help protect our customers – without disclosing any details about the vulnerability to the public. If someone were to reverse engineer all the rules we provide with our products, they may get a hint… but not enough to fully understand and exploit the vulnerabilities in question.
Once we have informed affected companies, they are usually able to release a patch fixing the issue pretty quickly. Users now have a more stable and secure application. If we’re on the other side of a vulnerability disclosure, we do our best to quickly patch our own products as well.
Why we follow responsible disclosure
As I mentioned earlier, we inform companies about the vulnerabilities we discover in their products, as well as those vulnerabilities we learn about from our various sourcing efforts. We give them plenty of time to release a fix before we disclose anything so that the general public is protected.
However, if the vulnerability is used in the wild before any disclosure is made, we may release more details right away. We believe that’s our duty, and you saw this during the recent Hacking Team incident. We warned users as soon as possible using this blog that there were zero-day vulnerabilities from the data dumps, that these were now being used in exploits kits, and how users could protect themselves.
Why we are against the vulnerabilities trade
Trend Micro is strictly opposed to the trading of vulnerabilities for money. For me, it is hard to swallow that my home country (Germany) and other countries bought (and are probably still buying) vulnerabilities to attack others. We know how widespread this practice is now thanks to the now public customer list of Hacking Team. This is not how I want to see my tax money at work.
Governments should only be allowed to buy vulnerabilities to inform the affected vendors immediately – i.e., to protect users. Even better, if nobody bought vulnerabilities anymore, but the affected vendors are informed for free soon after the flaw has been detected, our digital world would be a safer place.
If we were in such a place, then the Oracle CSO would not have to release posts complaining about reverse engineering. Instead, she would be thankful – because it is not done out of commercial interests, but to protect users and to make software code more stable and resilient.