Changing to Coordinated Disclosure

UPDATE 5/17/2016: The link for the POC for CVE-2016-1287 is live at https://github.com/exodusintel/disclosures

Last week Exodus finished disclosure on CVE-2016-1287 “Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability” officially marking the first time that we have gone through the process of coordinated disclosure. This disclosure represents a change in our internal policies and warrants discussion regarding the particulars of the change and what it means for Exodus going forward.

Previously, Exodus had an official policy of non-disclosure. Our main customer base is composed of defensive-product vendors that use the detailed research and analysis of vulnerabilities that Exodus discovers in order to implement 0-day protection measures inside their product. A smaller segment of our customer base consists of organizations with a mature security program and penetration-testing organizations looking to leverage 0-Day to implement their own protections and simulate nation-state level attacks to test the veracity of their defense-in-depth measures. The intent behind non-disclosure was to provide maximum value for our customers by ensuring they could use the 0-day for as long as necessary before it was patched. We believed that since defensive security vendors were already releasing mitigating controls, it was a nuanced yet safe trade-off to provide that value for our customers.

We’ve realized 0-day can have quite a long shelf life if left undisclosed. Exodus and our customers have known about some of the 0-day vulnerabilities in our feed for four years. When we reviewed our policy, such a shelf life eclipses the time necessary for our customers to extract value from our feed. Therefore, going forward we will practice coordinated disclosure with vendors.

Our policy will give vendors about 90 days to produce a patch. We will upload an encrypted archive containing all the requisite information on Exodus’ disclosure GitHub repository. Then we will e-mail the vendor with the decryption information for the archive. Once 90 days have expired, we tweet the password to the encrypted archive. We believe this process is the best tradeoff to allow Exodus to disclose vulnerabilities while not impeding our primary duty: to find new 0-day vulnerabilities and prove exploitation for our customers.