3. The Adversary of Cybersecurity: Hackers 51 practice of “marketing” vulnerabilities emerged. Researchers created catchy names, logos, and official websites to make their findings more accessible and for public relations purposes—discovering an important vulnerability can make a cyber researcher’s career (see Figure 3.5). The OpenSSL vulnerability was dubbed Heartbleed because it exploited OpenSSL’s heartbeat protocol (i.e., a protocol to determine whether a connection was still “alive”). Other examples of famous vulnerabilities in FOSS include ShellShock and Log4j Figure 3.5 The Heartbleed Bug’s website and logo. Over time a de facto process has emerged for finding and reporting vulnerabilities called responsible disclosure. Responsible disclosure is the steps taken to report a discovered vulnerability to an organization. In the early era of cybersecurity research, individuals would quietly notify companies that they had found a security flaw in the company’s product or website that could be exploited by bad actors, and then the researchers would assume they had done their good duty and move on. However, the researchers were surprised to discover that companies either did not believe them, did not understand the risk, or did not care, and in many instances, the vulnerabilities were never fixed. This frustrated cybersecurity researchers who understood the risks the companies were exposing to their customers. To force companies to take them more seriously, researchers began informing companies that after some reasonable period of time based on the perceived effort to address the vulnerability (e.g., 30 days), the researchers would publicly announce the vulnerability and provide a proof of concept for exploiting it. This subtle “threat” forces companies to engage with the researchers and take them seriously instead of just ignoring them. Providing a proof of concept makes it easy for others (including bad actors) to exploit the vulnerability and is somewhat controversial. However, this removes any doubt that the vulnerability is legitimate. Many cybersecurity researchers found that the proof of concept was necessary because sometimes companies would deny
RkJQdWJsaXNoZXIy MTM4ODY=