Responsible Disclosure - Reporting Security Issues
Greetings Internet Space Citizens!
Firstly, I want to spend some time on process and what goes into developing a web application at CCP. I'm not a web developer so I won't go into any detail regarding how we make decisions on technologies or anything, but I am The Security Guy so I do want to spend some time going over our process as it pertains to this area. In essence we follow a pretty well-established set of best practices. All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. The results of this audit are actioned on prior to code publication. If this introduces delays, it introduces delays. The applications we develop are complex because of their levels of interactivity with so many other systems. Because of that, testing these applications can be challenging. The scope can never just be limited to testing a single web application because of the degrees of interactivity, which makes testing a much larger task than if the applications were self-contained. All of that being said, there are going to be situations where we simply miss something and that's where this blog comes in.
Dating back to the last release of the forums, I've been working through exactly how we can ensure that we're properly receiving and incentivizing security information from you, our players. This is a first iteration of a how-to which will be followed by a bit of information about how we'd like to see the program develop, and a request for some feedback from you because ultimately what we're trying to to is give you something to be proud of.
As it stands today there are a number of ways people attempt to submit security-related issues to us:
- Filing a petition - This is inefficient as the person receiving the petition is not a security expert, may not understand the severity of the issue and it therefore may take more time to get to the right people. Security issues need to be addressed in minutes to hours, not days.
- Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports.
- Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums.
- Posting on another forum - huh?
None of these above-mentioned avenues of communication are really effective at getting us the information we need in the time we need to be receiving it. What we'd like to rectify is twofold:
- Providing you with a reliable and immediate avenue to report security issues so that they can get fixed immediately and investigated responsibly
- Providing you with a template of information which would be helpful to us in actually tracking down the issue
What is Responsible Disclosure?
According to Wikipedia which is never wrong: Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months. (Source: //en.wikipedia.org/wiki/Responsible_disclosure)
In essence what we're hoping to accomplish is that we can not only give you a venue to report information to us confidentially so that we can resolve the issue, but also to provide you with perks or incentives for doing so. We believe that if you're going to provide us with information that makes our product better, our customers safer and makes the Internet a better place then you should be rewarded for this. The problem with this is that incentives are not a one size fits all proposition but we'll get to that in a minute.
What information should I provide?
In the first pass we don't want to go crazy building systems or making crazy templates for submission. For the time being we think it is enough for us to say that when you send us information we need as much detail as possible. I can cite examples related to this forum:
- The Bad Example - User files a bug report that says, "You guys are idiots the whole thing is broken."
- The Good Example - User sends an email to email@example.com which reads "Dearest CCP Sreegs, I have come across a cross site scripting vulnerability in your forum. Here is some sample exploit code which I have used to prove my concept"
Believe it or not both of these examples actually happened. The difference is in how it gets handled. In the first scenario the report was erroneous and never got to anyone who could do anything about it. Were the user to continue messing around we would have only our logs to go by, which would show that the user was exploiting. Computers aren't very good at logging intent and believe it or not there are documented cases where people who are out to do bad things have lied about their intentions. If we're witnessing an exploit being taken advantage of in our logs then, from our perspective, an exploit is being taken advantage of and the consequences for such actions are not light.
In the second example the user was rewarded. What we'd like to do is extend that concept.I'll go ahead and get to that now.
PLEX for Snitches (Working Title)
In essence, what we'd like to achieve is to provide you with an incentive to be a good Internet citizen. Though we have given people rewards in the past they have been on a case by case basis. The main thing holding it up really is figuring out what would be of interest to you. Is it your name in lights? (This can look good on a resume.) Is it some free game time? Is it some other kind of incentive? This is the type of information I'd like to gather from you so that we can tailor the program to be the most effective.
Basically you provide us with security-related information in confidentiality. If you'd like your name in lights we'd like to recognize that. We also want to ensure that if you prefer to remain anonymous that can be facilitated as well. We have some ideas, but we're going to be basing the final solution on your input from this blog.
One thing of note in the program is that not every report will be worthy of reward. In order to receive recognition or incentivization you will need to provide us with something of value. Nobody really cares that Soundwave possesses the largest anime collection in Iceland. That won't help us at all; however, learning that he is studying Japanese so that he can further immerse himself in the true anime experience adds some value. To use a more relevant example, an exploit condition in our software that we can replicate and fix is of immense value. The more information you can provide the more relevant it is. Simply saying "something is broken" isn't always helpful, but saying "something's broken and here's how I broke it" is what we're looking for.
Ok I'm sold, how do I report an issue?
The best way to do this is to send a detailed email to firstname.lastname@example.org. No other method of contact will ensure that your issue gets attention from the team that can fix the issue. While we haven't yet formalized the program, I have made it a personal mission in the cases that the information is of high value that the person gets rewarded. I'm looking forward to your feedback on this and after you've had some time to weigh in we'll get the ball rolling and present The Full Monty.