{"id":263,"date":"2015-01-28T20:13:47","date_gmt":"2015-01-28T20:13:47","guid":{"rendered":"http:\/\/outworx.com\/blog\/?p=263"},"modified":"2017-01-20T11:07:15","modified_gmt":"2017-01-20T11:07:15","slug":"qualys-approach-disclosing-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/","title":{"rendered":"Qualys&#8217; Approach to Disclosing Vulnerabilities"},"content":{"rendered":"<p>In November of 2014, Qualys found a severe bug in Linux&#8217;s libc. \u00a0The gethostbyname routines were subject to buffer overflow. \u00a0Qualys developed a proof of concept exploit that showed how a specially crafted email could let an attacker gain remote access to a system without any credentials. \u00a0The exploit, named <a title=\"Qualys blog on GHOST vulnerability\" href=\"https:\/\/community.qualys.com\/blogs\/laws-of-vulnerabilities\/2015\/01\/27\/the-ghost-vulnerability\" target=\"_blank\">GHOST<\/a>, was shared with several Linux distributions who produced patches. \u00a0When Qualys \u00a0publicly announced the vulnerability, their blog page listed URLs to the distros&#8217; patches.<\/p>\n<p>Qualys says that they will publicly release their proof of concept exploit once the vulnerability has reached its <em>half life<\/em>. \u00a0According to Qualys,<\/p>\n<blockquote><p>Half-life is the time interval measuring a reduction of a vulnerability\u2019s occurrence by half<\/p><\/blockquote>\n<p>Qualys does security scans on over a hundred million devices, so they can determine a vulnerability&#8217;s half life quite accurately.<\/p>\n<p>Qualys&#8217; approach offers an important contribution to the full disclosure versus responsible disclosure debate. \u00a0We can summarize\u00a0the approach they took with this bug by 4 points:<\/p>\n<ol>\n<li>Qualys discovered a vulnerability.<\/li>\n<li>Qualys privately disclosed the vulnerability to affected vendors.<\/li>\n<li>When the vendors had\u00a0patches ready, Qualys publicly announced the vulnerability, and enough details that people could evaluate its severity.<\/li>\n<li>Qualys waits until half of the end user have patched it before fully releasing details of the exploit proof of concept.<\/li>\n<\/ol>\n<p>This spirit of cooperation and responsible disclosure seems far superior to a rigid 90-day rule Google uses. \u00a0Waiting until half of the end users have patched things before releasing the exploit kit also seems a gentler way of doing thing. \u00a0(However, end users must assume that criminals will work on developing exploits as soon as the existence of the vulnerability is announced. \u00a0You need to patch when the announcement is made, not when the half life is near.)<\/p>\n<p>While the GHOST vulnerability was actually fixed in under 90 days, not everything can be. \u00a0If someone invent a practical quantum computer, many of the venerable security algorithms, e.g. RSA and ECC, will need to be replaced. \u00a0<a title=\"RFC 6916\" href=\"https:\/\/tools.ietf.org\/html\/rfc6916\" target=\"_blank\">RFC 6916<\/a> describes how this migration could take years. \u00a0A Crypto Apocalypse simply can&#8217;t be fixed in 3 months.<\/p>\n<p>As vulnerabilities are discovered, it&#8217;s in everyone&#8217;s best interest to work together to fix them.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In November of 2014, Qualys found a severe bug in Linux&#8217;s libc. \u00a0The gethostbyname routines were subject to buffer overflow. \u00a0Qualys developed a proof of concept exploit that showed how a specially crafted email could let an attacker gain remote access to a system without any credentials. \u00a0The exploit, named GHOST, was shared with several &hellip; <a href=\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Qualys&#8217; Approach to Disclosing Vulnerabilities&#8221;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":522,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"xn-wppe-expiration":[],"xn-wppe-expiration-action":[],"xn-wppe-expiration-prefix":[],"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0},"categories":[13],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Qualys&#039; Approach to Disclosing Vulnerabilities | OutworX<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Qualys&#039; Approach to Disclosing Vulnerabilities | OutworX\" \/>\n<meta property=\"og:description\" content=\"In November of 2014, Qualys found a severe bug in Linux&#8217;s libc. \u00a0The gethostbyname routines were subject to buffer overflow. \u00a0Qualys developed a proof of concept exploit that showed how a specially crafted email could let an attacker gain remote access to a system without any credentials. \u00a0The exploit, named GHOST, was shared with several &hellip; Continue reading &quot;Qualys&#8217; Approach to Disclosing Vulnerabilities&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"OutworX\" \/>\n<meta property=\"article:published_time\" content=\"2015-01-28T20:13:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-01-20T11:07:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/qualys-aporach-1024x490.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"490\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Outworx\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\",\"url\":\"https:\/\/www.outworx.com\/blog\/\",\"name\":\"OutworX\",\"description\":\"Blogs, News and Updates of IT Industry | OutworX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.outworx.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/qualys-aporach-1024x490.jpg\",\"contentUrl\":\"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/qualys-aporach-1024x490.jpg\",\"width\":1024,\"height\":490,\"caption\":\"qualys aproach\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#webpage\",\"url\":\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/\",\"name\":\"Qualys' Approach to Disclosing Vulnerabilities | OutworX\",\"isPartOf\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#primaryimage\"},\"datePublished\":\"2015-01-28T20:13:47+00:00\",\"dateModified\":\"2017-01-20T11:07:15+00:00\",\"author\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.outworx.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Qualys&#8217; Approach to Disclosing Vulnerabilities\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461\",\"name\":\"Outworx\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g\",\"caption\":\"Outworx\"},\"sameAs\":[\"http:\/\/www.outworx.com\"],\"url\":\"https:\/\/www.outworx.com\/blog\/author\/outworx\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Qualys' Approach to Disclosing Vulnerabilities | OutworX","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"Qualys' Approach to Disclosing Vulnerabilities | OutworX","og_description":"In November of 2014, Qualys found a severe bug in Linux&#8217;s libc. \u00a0The gethostbyname routines were subject to buffer overflow. \u00a0Qualys developed a proof of concept exploit that showed how a specially crafted email could let an attacker gain remote access to a system without any credentials. \u00a0The exploit, named GHOST, was shared with several &hellip; Continue reading \"Qualys&#8217; Approach to Disclosing Vulnerabilities\"","og_url":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/","og_site_name":"OutworX","article_published_time":"2015-01-28T20:13:47+00:00","article_modified_time":"2017-01-20T11:07:15+00:00","og_image":[{"width":1024,"height":490,"url":"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/qualys-aporach-1024x490.jpg","type":"image\/jpeg"}],"twitter_misc":{"Written by":"Outworx","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.outworx.com\/blog\/#website","url":"https:\/\/www.outworx.com\/blog\/","name":"OutworX","description":"Blogs, News and Updates of IT Industry | OutworX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.outworx.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/qualys-aporach-1024x490.jpg","contentUrl":"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/qualys-aporach-1024x490.jpg","width":1024,"height":490,"caption":"qualys aproach"},{"@type":"WebPage","@id":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#webpage","url":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/","name":"Qualys' Approach to Disclosing Vulnerabilities | OutworX","isPartOf":{"@id":"https:\/\/www.outworx.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#primaryimage"},"datePublished":"2015-01-28T20:13:47+00:00","dateModified":"2017-01-20T11:07:15+00:00","author":{"@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461"},"breadcrumb":{"@id":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.outworx.com\/blog\/qualys-approach-disclosing-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.outworx.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Qualys&#8217; Approach to Disclosing Vulnerabilities"}]},{"@type":"Person","@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461","name":"Outworx","image":{"@type":"ImageObject","@id":"https:\/\/www.outworx.com\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g","caption":"Outworx"},"sameAs":["http:\/\/www.outworx.com"],"url":"https:\/\/www.outworx.com\/blog\/author\/outworx\/"}]}},"_links":{"self":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/263"}],"collection":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/comments?post=263"}],"version-history":[{"count":8,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/263\/revisions"}],"predecessor-version":[{"id":903,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/263\/revisions\/903"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/media\/522"}],"wp:attachment":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/media?parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/categories?post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/tags?post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}