12

Inspired by this question, I wrote this comment:

"I would like to know if this [bit of code I am posting on a publicly accessible SEO-optimized website as part of a high-visibility Hot Network Question] is a recent known or 0-day vulnerability." If the answer was yes, do you think posting it here would really be the best course of action, for everybody else's security?

Here's a meta question: is it the best course of action?
Should such details be included in questions, or should such content be prohibited, or something in between?

Note: I do not at all think this is a new issue, but I do think we should discuss where this SE site stands on the long-ongoing debate.

5
  • What is your main concern in posting the code in question?
    – Darren
    Commented Jun 20, 2019 at 13:59
  • @Darren If we have easily discoverable details about how to exploit an unpatched vulnerability, it seems like it would make exploitation of that vulnerability more likely. Even if a patch has been written, not everybody's applied it, so publicizing exploit code on this site would seem to lower the barriers to exploitation and make attacks more likely (including against targets who do not regularly read this site).
    – WBT
    Commented Jun 20, 2019 at 14:54
  • 3
    If the only bar to entry in "finding" the 0 day is "I have an internet-facing server", you're not going to be the one discovering or posting about or making it easily available first.
    – Angelo Schilling
    Commented Jun 20, 2019 at 22:18
  • I am the OP of the linked question and want to clarify: I did not decide to put my question into the hot network, SSE did on my behalf. Sarcasm mode: I guess that Tinder's visibility algorithm is much more transparent than HNQ visibility
    – usr-local-ΕΨΗΕΛΩΝ
    Commented Jun 24, 2019 at 7:29
  • @usr-local-ΕΨΗΕΛΩΝ The formula is known (although hidden away on meta.SE), but very roughly you'll end up there if you get two highly-voted answers on a question early in its life.
    – Xiong Chiamiov
    Commented Jul 2, 2019 at 19:29

3 Answers 3

Reset to default
8

We should not restrict the posting of security issues in questions or answers as long as the person posting them meant to do so (i.e. it's fine to redact accidentally-revealed sensitive information). This is part of the endless coordinated disclosure vs full disclosure debate. We should not be taking any one side. If security details are relevant to the post and the post is on-topic, then it should be allowed.

If I want to drop a 0day, I should not be prevented from doing so just because it's a 0day.

1
  • If it is an issue so well known that it shows up here there is no doubt that it has already been known to malicious actors. It is no worse than posting information about lock picking at that point.
    – Booga Roo
    Commented Jul 2, 2019 at 18:30
5

This should definitely not be disallowed; imagine trying to ask, "could I have been affected by this" if you can't show what "this" is.

This is taking the ongoing industry arguments about responsible disclosure, and applying it to everything including known vulnerabilities... "Well someone might post a 0day or exploit that someone doesn't have patched, so don't allow any code/artifacts/evidence to be posted at all."

2
  • 2
    "Don't allow any code/artifacts/evidence to be posted at all" is NOT even suggested by the post above; the answer attacks a straw man.
    – WBT
    Commented Jun 21, 2019 at 13:08
  • sorry for the necro, but "should such content be prohibited" <- this is an all-or-nothing option in effect, whether it's intended to be or not; if you don't know what a piece of code is, how can you know it will not run afoul of a restriction on posting exploit code? You'd either end up with people not posting unknown code (if enforcement is strict), or people ignoring the rule if enforcement is lax.
    – Angelo Schilling
    Commented Oct 3, 2019 at 19:49
1

This is a classic argument about security vulnerabilities: "Should we show everyone this vulnerability in this bit of software - then the bad guys will know how to use it!"

It may not surprise you that this discussion has been around since at least 1785 when Joseph Bramah, an inventor from Yorkshire, released a book called 'A Dissertation on the Construction of Locks' where he exposed the weaknesses of current (at the time) 'thief-proof locks'.

His central tenet was that thieves (and locksmiths) knew the weaknesses of locks anyway, whereas the general public (who were buying the locks) did not: his belief was that if the public was educated about such matters, they would be better able to protect themselves by bringing their knowledge up to the level of miscreants and professionals and thus be able to choose a better lock.

(It may also not surprise you that after exposing the weaknesses of another company's lock, he brought his own lock to market. To be fair to him though, he offered a prize of 200 guineas - around £27,000 GBP depending on assessment type - to the first person to pick the lock - which didn't happen for 67 years until an American Alfred Hobbs did so in 1851. It took him around 51 hours over 16 days).

I firmly believe that this has parallels in today's software heavy society: vulnerabilities should be openly discussed so that a general user may be made aware of any potential issues (that criminals and professionals are likely to know about anyway), and thus educated, can make better choices to protect themselves.

So, in a long winded way, to answer the question, "Do you think posting it here would really be the best course of action, for everybody else's security?" I believe that the answer is yes.

Just to note, I choose to interpret 'here' in an abstract way to mean, 'the internet', as well as stackexchange.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .