Defining responsible disclosure of app flaws

To some, vulnerability researchers such as H.D. Moore are knights in shining armor for their efforts to discover security flaws in software products. Since launching the controversial Metasploit Project in 2003, H.D. Moore and a group of independent bug hunters have publicly posted information that makes it easier to develop and test code that can be used to attack software vulnerabilities. Earlier this year, he began a Month of Browser Bugs campaign during which he promised to disclose one browser flaw a day for an entire month. More recently, his group released a tool designed to prevent browser exploit code from being detected by signature-based security tools. Supporters of researchers such as Moore argue that their work helps make software more secure. Opponents argue that the only ones being helped are the malicious attackers. In an interview, Moore talked about what he's doing.

Excerpts from that interview follow:

How exactly is the vulnerability research work being done through initiatives such as the Metasploit Project contributing to overall software security? The Metasploit Project helps raise awareness of software flaws and the impact they can have on an organization's security. The availability of tools such as the Metasploit Framework allow anyone to learn more about security and the exploit process in general. Network administrators use the framework to justify patch installations, software developers use it to verify patches in their software, and security analysts use it to perform penetration tests. As more people become aware of software security flaws and their impact on their business, the software vendors will be held to higher standards of product security.

What was the driver for your Month of Browser Bugs initiative earlier this year? How many bugs were disclosed in total during that one month? I had spent four months developing research and test tools for Web browser vulnerabilities. I found over 100 unique flaws across a number of browsers and thought a monthlong browser security awareness campaign would put pressure on the developers of these products. For the most part, it worked.

What would you say to opponents of such efforts who argue that the work being done by the Metasploit community and others like it ultimately help only the bad guys? There is an immediate short-term benefit to the good guys. Every major security vendor uses the tools developed by the Metasploit Project to test their products. Almost every security consultancy uses Metasploit tools to perform penetration tests and risk assessments. The Metasploit Project puts the "good guys" on equal footing with the folks who already have the skill to launch these types of attacks on their own.

Some opponents of such research say that many of the flaws that are being discovered by the security research community are obscure and hard-to-exploit flaws that would have remained hidden if security researchers hadn't gone out looking for them. These folks sound naive. History has shown that many of the worst security flaws were made public only after a bad guy was caught in the act. Some examples include the WMF vulnerability [MS06-001], a heap vulnerability in the widely used "CVS" source management tool and the Apache "chunked encoding" flaw that was eventually published by ISS. When I discover a new vulnerability, I have to assume that someone else found it first.