viernes, 19 de noviembre de 2010

Uncoordinated disclosure or bad credits…? Rethinking my own disclosure’s policy

Disclaimer: This is only my personal opinion based on logical assumptions, following the timeline while I was trying to publish my researching. I won’t provide any information about contacts, names, etc.


When I posted this, I really thought that this issue was fixed, so why do I get credits again (from yesterday's update)?

Issue was found using fuzzing on Google Chrome. In early August, Chrome Security Team got fixed releasing Google Chrome 5.0.375.125, but I knew that issue was affecting to Webkit (and nightly builds), so I had to wait before make my own disclosure (Safari also was affected). In late August, Apple Security Team contacted me (I suppose that Chrome Security Team provided my contact information) and they would fix the issue on September and like to know how to credit me on Apple Security Update Site, so I provided my usual information as “Jose A. Vazquez of spa-s3c…” and I waited for the Security Update. On 7th September Apple updated Safari to 5.0.2/4.1.2 and I thought that this would be my hoped update, but when I checked it, I noticed that they didn’t fix my issue…? Next day, they published another update on iOS and they gave me credits…? So I contacted again and asked them, they confirmed that it was the fix which I was waiting. I tested again the PoC and it still worked, but as I was (and am yet) a beginner, I thought that it probably would be the Null ptr dereference. Wtf?! Apple confirmed that it was fixed. But my question is if it was fixed…Credits on same issue? Fixed issue?

Responses probably would be these:
  1. Failure (Apple) on Credits (unlikely).
  2. Failure (Apple and me) on coordinated disclosure.
I’ve downloaded current release (5.0.3) and tested the issue again and it hasn't worked, not crash and not Null ptr.

In short, this smells like an uncoordinated disclosure, they fixed the issue on iOS but it still was alive on Safari for MacOS, Windows, etc. Assuming the latter case (uncoordinated disclosure) I have a new question about large temporal differences on using fixed code in stable releases (having a third party as common denominator).

Clearly, I tried to make a responsible and coordinated disclosure but finally, I made a bullshit... My failure or Apple failure? Each one draw their own conclusions.

Be safe ;)

No hay comentarios: