Sunny California seems replete with start-ups, surfers, celebrities and, of course, organic produce – an altogether dreamlike milieu – and one that says, “we’re all okay, man.”
But who knew that beneath this positive surface lies something potentially much, much darker. And much more….corporate.
“Responsible disclosure” is an ethical issue that underlies all independent vulnerability research, and often hamstrings public awareness. But, it keeps the wolves at bay as well, by not making security holes a matter of public record for every hacker out there to rush to exploit. It’s a bit like law enforcement keeping murder details out of the press until the perp is arrested.
Everything typically works out as long as vendors and researchers are committed to working together for the common good. A recent incident, though carried out in the name of responsible disclosure drew some new battle lines in the discussion. Where does responsibility end and censorship begin?
To wit: Airbus security researcher Raphaël Rigo was planning a talk at the Syscan conference in Singapore in late March, to discuss the efficacy of security vendor Blue Coat’s ProxySG product, which inspects corporate traffic for suspicious behavior. But Rigo was effectively silenced by the company. Whether or not he should have been is the matter up for discussion.
It started out innocently enough.
“As his talk is about one of our products, ProxySG, I would like to contact him prior to the talk to ensure we have time to address any vulnerabilities that he may have discovered,” Blue Coat senior security architect Tammy Green told conference organizer Thomas Lim, of security services provider Coseinc, in January via email.
But Rigo said that he wasn’t planning to reveal any specific vulnerabilities in ProxySG – indeed none had been found. Rather, he planned to offer an overview of the product’s operating system and how it works, and his assessment of its security approach – as it monitors IT policy compliance, certain hardening techniques could be useful to make it a better product.
But the Sunnyvale-based company wouldn’t let it go, according to Rigo. While he declined to comment in the media, Rigo said in his emails with conference organizers that Blue Coat asked him to remove a slide that contained “information you can find in their public documentation.” He said Blue Coat was “scared” of the presentation, and that he was “very sorry of [sic] this mess which is unfortunately way beyond my control.”
After two months of back and forth, Rigo contacted Lim to say that the discussions with Blue Coat “may have consequences on either the content of my talk or even the possibility that I give it.” According to Forbes, he then had to cancel just three days before he was scheduled to talk.
Now this looks for all the world like Blue Coat strong-armed Rigo into not revealing potentially unflattering research. But the official story massages the sharp corners.
Blue Coat noted that, “Following responsible disclosure practices, Blue Coat requested more time from Airbus to review and validate the research, and to mitigate any risks to our customers associated with the public disclosure of the presentation….Blue Coat did not bully or otherwise threaten Airbus into withdrawing its presentation at the security conference.”
Blue Coat is instead collaborating with Airbus to “share their original research findings at the conclusion of our investigation.”
The official statement from Airbus was to the point and fell into the narrative: “Airbus Group is currently discussing collaboratively with Blue Coat on the elements of the talk intended today. Although the information at this time does not reveal any security vulnerabilities in products, it does provide information useful to the ongoing security assessments of ProxySG by Blue Coat. Once that work is complete, Airbus Group & Blue Coat will jointly come back and share the research findings at a later conference in the spirit of responsible and safe disclosure to the community.”
Is this spin or truth? Was Rigo unfairly censored in the name of corporate brand reputation? Or was it all a justifiable situation and part of being an ethical white hat? We welcome your comments.