Elliot Speck Disk Space Invader

Reporting Faults in the Industry That Cries Wolf

There are a lot of links in this post. Some of them go to Twitter, and some to vulnerability disclosure marketing pages. Overall, they mostly provide context. Additionally, a lot of debate is around the vulnerability itself. This post has nothing to do with that because to be honest I’ve used PGP so few times that I still instinctively type PHP - a language that I haven’t used regularly since approximately 2010 - instead. I used it for email one single time to email a journalist who responded in kind to me telling me he had no need for the information I gave him. After that, I gave up.

Recently a “critical vulnerability” in PGP was released to the world, as CVE-2017-17688 and CVE-2017-17689. “Critical vulnerability” is, at best, a touch of an overstatement of the core issues. Other researchers put its risk rating at approximately a 5.9 out of 10; a level I’d describe as “bordering above lukewarm”.

For about half a decade it’s become on trend to dramatically maximise the amount of exposure you can get for your vulnerability discoveries. Some were relatively justified, such as Heartbleed - a vulnerability that affected almost every current installation of OpenSSL in existence at the time of its discovery. Increasingly, though, this is becoming far less the case. That isn’t because cool vulnerabilities are running scarce, but because people have seen those marketing pages and assumed that they too can have their spotlight time for even the most menial (or utterly falsified) of findings. Crying wolf has - unfortunately - become increasingly common.

Some time ago, a penetration tester I follow on Twitter posted a tweet asking what other penetration testers tell organisations that are in a really bad place. The core discussion that followed was mostly focused on delivery, with the information security industry being described as ‘alarmist’. This isn’t a label I disagree with, and I’ve independently spent a great deal of time honing my methods to reporting issues responsibly, carefully, concisely and - most importantly - evenly.