Tuesday, November 27, 2007

Some Comments on PayPal's Security Vulnerability Disclosure Policy

Thanks to the several places that have written about this policy in the last few days.

I was personally involved in crafting the policy and while I can't make commitments or speak officially for PayPal I thought I'd take a few minutes to explain our thinking on a few of the items in the policy.

First, a few points. PayPal didn't have a great system for reporting security issues until this new policy came out. Our goals in creating and publishing the policy were several:
  • Improve the security of our site by getting security issues disclosed to us responsibly.
  • Create an easy mechanism for people to report a security vulnerability to us. We chose email since we figured security researchers would like it better than a form.
  • Create incentives for disclosure and remove disincentives (threat of legal liability)
  • Make clear our expectations in these areas, since this is a new and evolving area of security vulnerability disclosure with more than a little legal uncertainty.
  • Through our policy - set a standard we hope others can follow.
We carefully constructed the language in the policy with our privacy lawyers to ensure that we were not over-promising with respect to legal liability. We looked at other disclosure policies, and we settled on the policy you can find here.

A few specific notes are in order:

  • We will revise the policy over time based on user feedback.
  • We are serious in our commitment to rapidly address any discovered security issues with the site. Our language around reasonable timeframe is slightly vague because we don't want to over-promise on how quickly we can resolve an issue.
  • We do expect to get back to researchers quickly with confirmation of a reported issue and tracking data on how we're doing resolving it.
Let me now address a few concerns/comments people have specifically raised.

Chris Shiflett said:
Since data can be anything, how do we know if we view data without authorization? Don't most people assume they're authorized to view something if they're allowed to view it? Does intent matter?
While we don't want users to test the security of the PayPal site, should they do so they should be careful to minimize the disruption caused by their testing. If you start tinkering with URLs to see whether you can view certain data, do it between two accounts you control, don't try to view other people's data. There is a fine line between testing responsibly and irresponsibly and we're encouraging people to stay on the more responsible side of the line.

From Don's post:
I got a creepy feeling about actually trusting the statement. I will probably never attempt to test the security of PayPal’s site, but for those who do I would hate for the disclosure statement to change suddenly.
As I said earlier, we do believe the policy is a work in progress. We will modify it from time to time to allay concerns, improve its effectiveness, etc. Our goal however is to encourage responsible disclosure. I hope that intent behind the policy is enough to allay people's potential fears.

One final note on the statement - "Allow us reasonable time to respond to the issue before disclosing it publicly." We struggled over the wording on this more than any other element of the policy. It is a tricky business to get the right balance between early disclosure, our commitment to protect our customers and their data, and people's desire to know about the security of a given website or service. That said, we're committed to working with researchers when an issue is reported to us and we'll decide reasonable on a case-by-case basis.

We're hoping that this policy strikes a good balance between our desire for responsible disclosure, and not discouraging researchers from coming forward.

Again, I'm not a spokesperson for PayPal, so this post naturally represents my personal beliefs about this policy not a firm binding statement of company policy. That said - I welcome your comments.


kuza55 said...

"Create incentives for disclosure and remove disincentives (threat of legal liability)"

Well, you've removed the disincentive of legal action, but I don't see how you've put forward any incentive for people to report vulnerabilities to you.

Andy Steingruebl said...

Fair enough. Let me mull on it.

Unknown said...

You offer the fame (and fortune?) of being formally recognized by Paypal as the individual that found the vulnerability.

And throw them a pizza and beer party.

Anonymous said...

I believe you are all on the right track. In our conversations I have mentioned the use of a change log to help with transparency. Although I have hashed the original statement, perhaps you could digitally sign this and future versions that you develop so that people know you haven't pulled a fast one.

Certainly I don't believe that is the intent, but big companies are a funny thing. Management one day might not be the same management the next. The public is use to seeing "the contents of this statement may be changed at anytime and without warning." Yes, those words are not in this version but it is a general attitude that you are trying to help prevent by taking such measures.

Keep up the good work.

Go forth and do good things,
Don C. Weber
Security Ripcord