securitydisclosure

How long should I wait to publicize a vulnerability in a free/open source project?


In my review of free package distributed under the Apache license I found a number of bugs ranging from the obscure code issues to security holes.

I've taken the following steps:

Questions


Solution

  • Truthfully you have no obligation either way if:

    1. You found the problems under a legitimate installation of the software (following all ToS/Fair Usage Guidelines, etc)
    2. You did not modify or compromise the security of the system in any known way by purposefully setting the system up in such a way as to be insecure (i.e. purposefully uninstalling security measures that it has)
    3. You cannot conceivably be considered a rival for financial gain in the same market space.

    If this product is purely open source and under a free license, the last is obviously true, leaving only the first two to be considered (if it has commercial licensing this may be a different matter).

    You can openly document any issues you have with software as long as you provide that they are your opinion, and that you back said issues up with proof (preferably verified by a third-party) in some form (blog, mailing list, etc).

    If you are a security researcher specifically assigned to research the product, or intending to publish your findings as part of your corporate reporting, your legal department will have additional rules that you need to follow (consult with them).

    I believe the dilema is purely ethical and I would like to quote one part of your post:

    I do have somewhat selfish reasons for saying "look how clever I am! I found these problems in the code!" but they are tempered by wanting to give the developers time to fix the code and I know well that ego and pride can be involved in these matters.

    If you consider your ethical reasoning to be fair then you should follow whatever common sense you find most reasonable (I believe SANS to be very fair in this case).