Details of a Virtual Box 0-day privilege escalation bug were disclosed on GitHub earlier this week. This was the work of independent Russian security researcher Sergey Zelenyuk, who revealed the vulnerability without any vendor coordination as a form of protest against the current state of security research and bug bounty programs.

From my perspective, some of his concerns are well-founded and warrant more discussion. I believe this sentiment also reflects a growing view among many in the bug hunting community.

Sergey arranged his thoughts into three main points, which I will discuss below.

1. Vendors are slow to patch

Large vendors are chronically slow at evaluating and fixing vulnerabilities, and most researchers are willing to put up with this.

Google’s Project Zero with a 90-day disclosure policy has forced some vendors to accelerate patch releases. In fact, at Black Hat 2018, Parisa Tabriz shared some very promising stats to back this up. The most impressive of which was that 98% of reports from Google’s researchers are now fixed within 90 days, whereas before moving to a deadline driven disclosure, it was only 25%. Although there is no definitive causation, Parisa also anonymously referenced large vendors who have substantially increased their patch frequency and report response times.

Unfortunately, this is not the treatment most of us receive, and as Sergey commented, a 6-month turnaround time for fixing a critical bug is nothing unusual. This problem is compounded by several factors. For one thing, there is a huge power imbalance between independent researchers and the organizations they contact. Some vendors definitely take advantage of this by being unresponsive or even threatening.

Another aspect to consider is that big software companies that acquire smaller software firms rarely maintain security teams for each acquisition or implement common security processes across the organization. These larger firms (Read more...)