Google Project Zero: 'Here's the secret to flagging up bugs before hackers find them'

Google's Project Zero has issues with Samsung and HackerOne's security bug reporting processes.
Written by Liam Tung, Contributing Writer

Video: Google launches its own security key.

Samsung's utterly confusing vulnerability reporting website has prompted one of Google's top security researchers to explain how companies should help researchers report bugs and eliminate hackable flaws in products quickly.

Google's Project Zero bug hunter, Natalie Silvanovich, who Microsoft has recognized as a top 10 researcher in the world, has a few tips for vendors of all types on how to handle reports from security researchers.

It's one of the many problems white-hat hackers face when investigating and reporting vulnerabilities to companies that frequently sue security researchers for telling them about a flaw, and sometimes even sue even security news reporters for telling the public about bugs.

Security companies do it, finance firms have called the cops on researchers, global accounting firm PwC threatened to sue a security researcher trying to help it, while lawmakers often propose bills that intend to punish bad hackers but in fact criminalize security research.

It's so dangerous for security researchers that the Center for Democracy & Technology, a Washington DC-based non-profit, recently released a report to shine a light on the risks they face in the US as they venture into gray areas of pre-internet laws like the Computer Fraud and Abuse Act (CFAA).

On the other hand, thanks to Mozilla, Google, Microsoft, and others, vulnerability reporting programs that reward researchers for reporting flaws have become more common.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

But how these programs are implemented has an important impact on whether bug reports reach recipients, and ultimately how quickly a bug gets fixed.

For a person like Silvanovich, who is capable of finding multiple critical coding errors in complex Microsoft software, figuring out how to report the bug shouldn't be that hard.

But it is, often because vendors -- even large ones like Samsung, which has adopted Google's monthly Android security patch system -- don't document the reporting process or fail to update outdated instructions.

Her first tip: "Effective vulnerability reporting processes are clearly documented, and the documentation is easy to find."

The second is to design a process that's short and straightforward, which can be handy when reporting literally dozens of flaws.

Not all researchers have the luxury of a Google wage to spend time finding out how to report a flaw, and might just give up, leaving the product flaw -- and its users -- exposed to attackers.

"Reporting processes that use email or bug trackers are usually the easiest, though webforms can be easy if they are not excessively long. While Project Zero will always report a vulnerability, even if reporting it is very time consuming, this is not necessarily the case for other bug reporters."

Tip three: test the reporting process. "While the majority we encounter are [tested], we've occasionally had bug-reporting email addresses bounce, webforms reject necessary information (like the reporter's name) and security issues go unnoticed in bug trackers for months despite following the documented process."

Legal agreements are another problem, especially with the rise of bug-reporting reward programs.

Project Zero's famous and, for the most part, strict 90-day disclosure deadline can put impose legal risks on its researchers. Not everyone agrees with the 90-day deadline, most notably Microsoft, which supports coordinated disclosure.

Either way, as the company debates the pros and cons of entering the agreement, bug reports are delayed.

Which leads to tip four: "While legal agreements are sometimes necessary for rewards programs and code contributions, good vulnerability reporting processes allow bug reporters to report bugs without them."

Vendors also need to remember to confirm to the reporter that they've received the report to ensure the report hasn't vanished into the ether. Again, this step saves time for everyone involved in fixing security flaws.

Lastly, she recommends companies give researchers a way to provide feedback about the process. Essentially, software vendors should be aiming for something like Google's own reward programs.

But it was Samsung's bug reporting page and a bug that could be exploited simply by sending an SMS to a Samsung S7 Edge that inspired Silvanovich's post.

After hitting the English 'Create report' button, Samsung's sign-up page assumed the whole world understood Hangul, the Korean alphabet, offering buttons that she had no idea how to respond to.

Had she first hit the sign-in button, she would have reached an English-language sign-up page. But everything after this was basically a time-waster.

"Clicking the links led to over 20 separate agreements, most of which had nothing to do with vulnerability reporting," she commented.

After filling in the various forms and agreeing to everything, Samsung's pages returned to a Hangul-only world.

Two terms irked her and simply clashed with Project Zero's practices. "You MUST hold off disclosing the vulnerability in reasonable time, and you MUST get Samsung's consent or inform Samsung about the date before disclosing the vulnerability," said Samsung.

"In some cases, Samsung may request not to disclose the vulnerability at all." Again, this clashes with Project Zero's insistence on disclosure.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The regular appearance of Korean text throughout the process suggested Samsung hadn't tested its processes for an international audience, nor had it considered the effort it required of the researcher.

After all, vendors are supposed to be interested in securing their products. And while many companies might not be the size of Google or Microsoft, Samsung is, so it should have the resources to do testing.

She also takes a shot at HackerOne, the third-party bug-reporting platform used by Uber, General Motors, and the US Department of Defense.

HackerOne has a 180-day deadline and this clash popped up when fellow Project Zero researcher Tavis Ormandy reported CloudBleed, a dangerous bug affecting Cloudflare, which uses HackerOne.

"This vulnerability was also very urgent as it was actively leaking user data onto the internet, and we didn't want to delay reporting the issue while we read through HackerOne's terms to determine whether they were compatible with our disclosure policy," she writes.

"We find that vendors generally don't intend to prevent bug reports from anyone who won't agree to their disclosure rules, but this was the end result of Samsung and Cloudflare replacing their bug-reporting process with a rewards program."

Her final advice:

  • Vendors should regularly test their vulnerability reporting interfaces in all supported languages.
  • Vendors should streamline their vulnerability reporting processing as much as possible, and remove excessive clicks and legal agreements.
  • Vendors should regularly solicit feedback on their vulnerability reporting mechanisms from vulnerability reporters and people they think are likely to report vulnerabilities.

Previous and related coverage

Disclose.io: A safe harbor for hackers disclosing security vulnerabilities

The laws are murky when it comes to responsible disclosure of bugs, but Disclose.io intends to make things more clear-cut.

Windows 10 security: Google Project Zero shreds Microsoft's unique Edge defense

Google Project Zero says Microsoft's Arbitrary Code Guard in Edge fails where Chrome's site isolation succeeds.

Windows 10 bug: Google again reveals code for 'important' unpatched flaw

For the second time in a week, Google reveals another unpatched Windows 10 vulnerability.

Windows 10 security: Google exposes how malicious sites can exploit Microsoft Edge

Microsoft misses Google's 90-day deadline, so Google has published details of an exploit mitigation bypass.

Zero Day Initiative bug bounty ramps up rewards for server-side vulnerabilities

Special targets will now earn special rewards.

Windows 10's buggy updates force you to choose between security and stability, says user group TechRepublic

Sysadmins aren't satisfied with the quality of Windows 10 updates.

HP will pay hackers up to $10,000 to break its printers CNET

This is for every time the printer's told you it's out of toner.

Editorial standards