Responsible Zero Day Disclosure

A zero day vulnerability is a software bug that has been fixed/patched for 0 days. A zero day exploit is the code attackers use to take advantage of a zero day vulnerability. If a zero day is publicly disclosed and no patch is released for a month then it’s still considered a zero day for the whole month. The zero refers to the number of days the vulnerability has been patchable and is a measure of risk mitigation.

Let’s take a closer look at a recent disclosure: on July 8th a zero day vulnerability was disclosed about Zoom/RingCentral products and it wasn’t the first time such a vulnerability was found, a similarly unpatched vulnerability affecting Zoom/RingCentral products was disclosed in October 2018. This latest vulnerability appears to only impact macOS, but it is scary because uninstalling the software doesn’t mitigate the risk - the vendor leaves a hidden web server running on your Mac so the software can be reinstalled easily without your control. I digress..this blog is about disclosures not specific vulnerabilities.

The medium article from July 8th states:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline.

Security researchers who find zero day vulnerabilities and fully disclose them immediately benefit from the scary and dramatic nature of the revelation. The responsible thing to do in this situation is exactly what this researcher did - privately disclose the vulnerability to the vendor and give them ninety days (give or take depending on the specific circumstances) to validate and fix the issue. This system works best for all involved parties - the security researcher can still take credit for the discovery, the vendor is ready with a fix when the vulnerability is disclosed, and users are able to immediately address the issue.

Another interesting bit from the disclosure timeline in the medium article:

Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.

The security researchers declined a finanical award for the discovery because they didn’t want to cede their ability to publicly disclose their discovery. NDAs are not standard for zero day disclosures especially when handled in a responsible fashion. Makes you wonder how many other zero day vulnerabilities have not been disclosed because of an NDA. This situation is a perfect example of why responsible disclosure is so important: Zoom was publicly pressured into fixing their software and this very likely also let to a greater internal focus on security.