Security research ethics under fire

The legal action currently being brought by French software company Tegam International against Guillaume Tena, who claimed to have found flaws in its software, has sparked a debate on how the reporting of security vulnerabilities should be handled.

Software companies already face an uphill battle providing good quality patches as fast as possible. But researchers who publish vulnerabilities without informing the software firm beforehand could be making this task harder. This can give hackers a longer lead time to work on an exploit, experts warned on Wednesday

"This is a controversial subject," said Richard Starnes, president of the Information Systems Security Association UK. "The general feeling among the industry is that vulnerability researchers should report problems to the company first and wait a reasonable amount of time before deciding whether to release it or not. The question is how long 'a reasonable amount of time' is."

Patches can be difficult to develop and often take between three and six months to perfect, Starnes said. And there can be backlogs of old vulnerabilities that need to be developed. But this doesn't always sit well with researchers who often like to see immediate results.

"It's about self-gratification for researchers," said Jason Hart, head of security for Whitehat UK. "Companies need to act upon independent researchers' findings. But sometimes researchers give two fingers and say 'your baby's ugly, your software's got holes in it'. No one likes being told their baby is ugly, so they don't take notice. There needs to be a better process."

But while Thomas Kristensen, chief technical officer of Secunia, a Danish company that publishes vulnerabilities, agreed with Starnes and Hart, he also believes that sometimes it is necessary for researchers to disclose vulnerabilities without delay. He said it was better that the public was informed than left ignorant.

"While it's unfortunate when vulnerability details are published without a proper solution from the vendor, it's my opinion that everyone is better off," said Kristensen. "System administrators and private users can reconfigure their systems or discontinue the use of the vulnerable product. Hopefully, this results in the vendor responding in a proper manner in future cases."

At present, no software companies provide financial rewards for those who report valid vulnerabilities to them. But Hart said such a process is needed.

"There are no financial incentives," he said. "If there were incentives, you'd find the software would become very secure overnight. And you'd turn a lot of malicious hackers into good hackers. If there were rewards for vulnerability reporting and they were valid it could work. There just needs to be a proper mechanism in place."

Dan Ilett writes for ZDNet UK.