Oracle's bad faith with security researchers led to publication of a Virtualbox 0-day

In the debate over "responsible disclosure," advocates for corporate power say that companies have to be able to decide who can reveal defects in their products and under which circumstances, lest bad actors reveal their bugs without giving them time to create and promulgate a patch.

But over and over again, this theory of corporate responsibility and security researcher intransigence falls apart. The reality is that the kinds of security researchers who want to report bugs (rather than using them to attack people) are primarily interested in improving security, and corporations that offer good-faith promises (and live up to them) can easily tempt researchers into coordinating their disclosures. When corporations threaten researchers or fail to act on their warnings, the result isn't silence -- it's uncoordinated disclosure, when a security researcher simply publishes their findings without warning the company first.

The latest example of this is Sergey Zelenyuk's publication of a "100% reliable" exploit against Virtualbox, Oracle's popular virtual machine software. The exploit allows attackers to puncture the virtual machine's sandbox and access the underlying system's files and processes.

Zelenyuk published the zero-day bug because of Oracle's long history of mistreatment of security researchers (including threatening customers with legal retaliation if they hire auditors to examine the software Oracle sold them), and its cavalier handling of bugs, including a 15-month lag between learning of a similar bug and issuing a patch.

It's a sobering reminder that the "responsible disclosure" debate isn't about under which circumstances researchers can go public; it's about whether they choose to trust a company before going public. Read the rest