This is a personal blog. My other stuff: book | home page | Twitter | CNC robotics | electronics

December 20, 2010

Carrot, stick, research, disclosure

Several days ago, Marcia Hoffman of Electronic Frontier Foundation praised Facebook's policy on vulnerability reports - and went as far as calling it "exceptional":

"If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research."

I respect my colleagues at Facebook - but I do not think this policy deserves such praise.

The problem is that with extremely rare exceptions, software vendors do not object to being given reasonable notice about a vulnerability - but one of the most significant points of contention between them and the research community is the meaning of that single, special word: "reasonable".

Because of different incentives, businesses have a history of allowing privately reported vulnerabilities to go unresolved for a year or more; and many of the best-known names in the industry have attempted to suppress good-faith attempts to alert the public to their apparent non-responsiveness.

I suspect that Facebook is capable and willing to respond to vulnerability reports promptly, and will not resort to such tricks - but that does not make the policy sound any better. The promise not to sue people who satisfy an unspecified but vendor-defined expectation of "reasonable time" implicitly creates a threat of prosecution in non-compliant cases; and equates them to other, clearly malicious practices listed in that aforementioned paragraph.

There are interesting examples of exceptional, researcher-friendly policies out there; this one doesn't belong, yet.


  1. Thanks for posting this. I was kind of confused by the EFF piece, as it didn't seem to be anything new and I agreed with your take that it wasn't all that exceptional - especially after Google rolled out their bug bounty program. Then today, an SC Magazine article highlighted an update to Facebook's policy that only removed one clause from a sentence. I wonder why Facebook is suddenly getting so much press for their policy, which has been around for a while and isn't all that different from several other corporate security policies.

  2. I think you misunderstand the generally accepted meaning of "exceptional." In modern parlance, the term "exceptional" roughly equates to "what everyone else is doing."

  3. So I guess the alternative to you agreeing to keep silent about the vulnerability for as long as they deem "reasonable" is for you to simply not tell them at all.

    [By the way, this comment field doesn't seem to work unless I allow all kinds of script to run from four or more different sources. It seems to insist on using my "Google Account" but without encryption on the main URL.]

  4. Yeah, I'm just that mean to visitors.