Cloudbleed and ethical disclosure
On February 23rd 2017, the content delivery provider Cloudflare revealed a serious vulnerability in its software for processing webpages as they traveled across its network. Due to a programming error which caused a memory leak, Cloudflare’s software would put server memory into webpages under a specific yet limited set of circumstances. The “server memory” inserted may include “private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data” according to Cloudflare, all of which could be read by an attacker. Some of these webpages with private information have been inadvertently saved by search engines, complicating the issue.
The issue was reported to Cloudflare by Google security researcher Tavis Ormandy, who detailed the course of events following notification on Project Zero’s issue tracker. What I find interesting and which relates to IT ethics is the way in which Cloudflare went about the process, and how they eventually disclosed the issue to their customers.
There are two main types of disclosure used, responsible disclosure and full disclosure. While not quite an ethical dilemma, the two types are often at odds with each other. Through the discussion it appears that both parties want to follow responsible disclosure, but due to sensitive information already being present in search caches, Google’s recommendation leans more towards full disclosure.
Initially Cloudflare seemed cooperative, but communicated less as the days went by. Ormandy said the Cloudflare blog post “severely downplays the risk to customers”, which brings up the question:
Should a company downplay a vulnerability in order to avoid scaring customers (and potentially losing them), or should the company focus on being transparent and avoid sugarcoating the matter?
Balancing business needs against ethical disclosure can be hard. Some of the thoughts I’m wrestling with now…
P.S. - This blog uses Cloudflare and was not affected by the memory leak per the email I received, which I have confirmed with my own audit:
Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.