When a white hat finds an exploit in a software project, the standard practice is coordinated disclosure (also known as "responsible disclosure"): that is, they inform the project team and then work with them to fix the exploit before it is publicly announced. At LGTM.com, we run continuous variant analysis, a new and potent approach to finding vulnerabilities, on over 130,000 open source projects with the results publicly available to anyone who cares to examine them. Given that some of our analysis results pinpoint potentially exploitable weaknesses in widely used projects, doesn't this give an advantage to black-hat hackers? Doesn't it increase the chances of another breach like the Equifax disaster? Isn't it, in a word, irresponsible?
In fact, making results public on LGTM is the only responsible option. Public security results are the key to solving the security crisis in open source projects, which, despite increasing developer awareness, is only getting worse. This post explains why.
Variants are not necessarily vulnerabilities
LGTM's variant analysis finds variants of known vulnerabilities, such as cross-site scripting. But while variants generally represent weaknesses in the code which should be fixed, not all of them represent exploitable vulnerabilities.
For example this query
finds places in code where the return value of
is not checked properly, which can lead to buffer overflow.
Although a variant found by this query is usually a bug,
in that it leads to aberrant program behavior and should be fixed,
it is only rarely in a path that makes it an exploitable vulnerability.
When our security research team finds an exploitable vulnerability in a project, we always work with the project team to fix the bug before it is publicly announced, to minimize the possibility of someone exploiting the issue. But because variants are not necessarily exploitable, they do not require the same level of secrecy as proven vulnerabilities.
Only the open source community can secure open source software
More to the point, keeping the variant-analysis results secret, or putting them behind a wall and only sharing them with the project leaders, will have no lasting impact on the security of open source software generally. We are aiming to secure all open source software, and we believe that the only way to secure open source software is to apply the principles of transparency and community effort that made open source software a success in the first place. That is, to secure open source software, you have to empower the community to make open source software secure. Keeping our results behind a wall would ensure that the community's approach to security will not change, since results that are not visible to the community will not be fixed by the community.
Variants are easy to fix; vulnerabilities are difficult to exploit
Fixing a security variant is always easier than exploiting one — typically drastically so. For example, adding a bounds check to correct a potential buffer overflow, or a call to a sanitizer function to correct a potential SQL injection, will typically amount to only a few minutes' work. By contrast, creating a working exploit from a potential vulnerability is a small engineering project in its own right, as a number of our recent blog posts illustrate.
Because fixing variants is so much easier than exploiting them, any variant that is publicly known is far more likely to be fixed than to be exploited. This means that the major challenge in securing open source software is in making variants known to the community — something which only LGTM does. LGTM also automatically flags variants of well-known vulnerabilities, preventing them from being added afresh into open source projects. As LGTM usage grows, hackers will have to work harder and harder to find exploitable bugs in open source projects, and will have to work faster to exploit them before they are patched.
Advantage: OSS Community
Our approach to securing the world's software includes empowering the open source community to secure open source software for good. This means we make our LGTM analysis results public so that anyone who wants to can fix a potential security vulnerability before it's exploited. It's not a choice we've made lightly, and we think it's the right one.