Tom Cross Lancope
Holly Stewart Microsoft
Much has been written on the ethics and timing of vulnerability disclosure, but what about exploitation? When a vulnerability is being exploited in the wild, should the general public be informed immediately? This paper will highlight multiple scenarios, showing empirical data from real-world case studies that identify when disclosure can be helpful and when it can do harm.
This session will define the difference between an exploitation disclosure policy and what most people in the security industry are familiar with: the vulnerability disclosure policy. A simple way to define exploitation disclosure is: the public disclosure of the fact that a vulnerability is being exploited in the wild.
Disclosing the fact that exploitation is occurring is important for many reasons. Software vendors and IT professionals need to understand how to prioritize vulnerability remediation - the fact that exploitation is occurring can motivate faster release and deployment of the remediation. Security product vendors need access to real-world exploit samples so they can validate coverage. Network managers need to know in real time what attacks are taking place, so they can be prepared and focus their attention on the right warning signs and mitigations. End-users need to know what the overall threat environment is on the Internet.
What's less clear is how the timing and details related to exploitation disclosure can escalate the general use of a new exploit, and at the same time, instill public panic when users are left without actionable guidance.
This paper will show numerous use cases that span many years of active exploitation data from millions of end-users that sometimes bore the brunt of unfortunate examples of exploitation disclosure. Our use cases talk about the many variables associated with live exploitation, from small-scale targeted attempts to large-scale, malicious toolkit integration that reach tens of thousands of users. We'll also talk about nuances of update availability from vendors. Should the coordination and timing of exploitation disclosure differ based upon the availability of a patch?
In the end, we will provide actionable guidance to anyone who might be involved in this process, from vulnerability researchers, to the targets of exploitation, the media, and even the vendors themselves.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.