This is an online reproduction of the letter sent to First State Super today.
I was disturbed to read about First State Super’s response to the ethical disclosure of a serious vulnerability in your financial software by Patrick Webster last month. As a fellow Australian software security professional, I’m worried by the dangerous precedent that this sets.
As you’d be aware by now, this incident has gained worldwide attention and as you’d also be aware, the public response hasn’t exactly been in First State’s favour (refer to Security Researcher Threatened With Vulnerability Repair Bill on Slashdot). What Patrick did – and what many of us do – is make a conscious effort to partake in what’s referred to as “responsible disclosure”. The intent is to alert the organisation to potential risks in their software in an ethical fashion so that they may be remediated before they are maliciously exploited. As appears to be the case here, frequently these risks are simply observed by security conscious customers during the course of their legitimate use of the software.
The usual response on behalf of the recipient of an ethical disclosure is one of appreciation that an embarrassing flaw in their software has been identified before damage is done. I’m not implying “appreciation” in any monetary sense; the vast majority of us simply want to make the web a safer place without any expectation of reward. Clearly it is advantageous for the software owner that such vulnerabilities are reported ethically and with good intent as opposed to being exploited for one’s personal gain.
First State’s response was highly unusual which is why it has garnered all the attention: get police and lawyers involved, threaten the researcher with rectification costs and then demand access to his computer equipment. This is a particularly irrational and unreasonable response to someone whose intent was clearly to ensure the safety of your customers and the integrity of your reputation.
But the real concern I have, and the catalyst for this letter, is that your actions have set a very worrying precedent, one which may cause honest, ethical individuals to become afraid of acting in good faith. The message this sends is that it is better to simply “look the other way” when vulnerabilities are observed. In fact for people in Patrick’s position, the message you’ve sent clearly says it is better to leave vulnerable software exposed and at risk of truly malicious activity than it is to privately and responsibility inform those who have failed in their duty to properly secure it in the first place. Your position appears to be to conceal and punish rather than to embrace and improve.
Building software can be a complex business and security vulnerabilities will always exist at some level in the design. Most companies embrace the security contributions of the software community and some, such as Google, even promote and directly reward responsible disclosure. Fortunately, First State’s heavy-handed position is rare, as is evidenced by the adverse attention it has received. Hopefully future ethical disclosures are dealt with more responsibly by First State, not just for the sake of your customers’ security, but so that those who selflessly contribute to the security of all our online activities can continue to do so.