Just because the rules state how a specific procedure should be dealt with, it does not mean it is ethical and correct.
Responsible disclosure is when someone releases technical details about an identified vulnerability or security flaw in a software or service once a patch is available to the public. All well and good, but even though we call it responsible disclosure, is it ethical or does it still put users and their websites at risk?
The Popular Sucuri VS MailPoet Feud
In July of last year (2014) Sucuri ended up in a feud with the developers of Mailpoet, a popular WordPress plugin which back then had more than 1.7 million downloads. Mailpoet claimed that Sucuri were not acting responsibly because they disclosed an advisory about a vulnerability in their plugin just a few hours after the security fix was released. MailPoet believed that not enough time was given for the users to upgrade their plugin.
MailPoet Weren’t Transparent
Even though I believe MailPoet were right as I explain later on in this article, Mailpoet did not play their part neither. They failed to mention the vulnerability in the original changelog, hence users will take much longer to update. When a vulnerability is patched, one of the the developers’ responsibility is to advise all users about the issue, to ensure and encourage all users to update their software, in this case a WordPress Plugin.
Where did Sucuri Act Irresponsibly?
In a blog post MailPoet published called Sucuri, the Hack, and the Lessons learnt, they said Sucuri did not give enough time to allow the users to upgrade, and they were right. Sucuri argued back that they did not disclose the technical details hence they acted responsibly. Like many others I read the vulnerability report and one cannot but notice that although the report does not include the actual technical details, it included just enough information to point out where the vulnerability is.
MailPoet Vulnerability Exploited in the Wild
The information Sucuri disclosed, i.e. they pinpointed where the vulnerability lies, was enough to allow a seasoned attacker to find the vulnerability within just a few tests. As a matter of fact a few days later the MailPoet vulnerability was being exploited in the wild. That means that someone built an automated script or process to crawl websites and identify those which are vulnerable to such vulnerability, and if they were it exploited them.
Ethical and Responsible Vulnerability Disclosure
Even though Sucuri did followed the rules, the process was not ethical and put millions of websites in danger. We all know, and Sucuri knows much better than most that users take time to update their WordPress plugins and any other software they use. This is something else MailPoet tried to highlight in their blog post; when you have an online service as Sucuri does they only need to update their installation to fix the issue.
But in such cases, where the plugin author has no control as to when the users will upgrade their copy of the plugin Sucuri should have acted more prudently and released the advisory, or the details about the vulnerability at a later stage. That is exactly what Nik Cubrilovic did when he identified several critical vulnerabilities in Disqus WordPress plugin, another very popular WordPress plugin. He advised the public that there are vulnerabilities, but only disclosed the details about two months later.
It is not the first time Sucuri has been in this hot seat. Just a few weeks back they temporarily published the technical details of a DOM XSS vulnerability in the default WordPress theme Twenty Fifteen before a patch was available. Temporary was enough for them to get all the credit for it, even though the vulnerability was discovered by Netsparker, a software company that develops an automated web application security scanner.
Using Advisories for Publicity
Many companies claim that they do not release advisories for publicity but to help the community. I do not believe them, and if they do not they’d better start doing so as soon as possible. Releasing advisories is a good marketing campaign to show your team’s or your software’s capabilities, and to show the world that you know a thing or two about the business you operate in. So do it, there is nothing wrong in publishing advisories and using them for publicity.
But we should be more considerate, especially when dealing with easy to exploit vulnerabilities in very popular WordPress plugins, or any other software. Before we publish an advisory we should think twice if what we are doing is really for the good of the users and millions of WordPress websites or for the good of our business. Just because the rules state that it is responsible to release an advisory once a security patch is available to the public, it does not necessarily mean it is ethical to do so. As we have learnt from this Sucuri VS MailPoet feud, our actions can put millions of WordPress websites at risk, so think twice before you act.