GitHub has generally been exemplary in their handling of crises, service
interrruptions, and security, but there has recently arisen a significant
exception, one where I would like to see GitHub correct their irresponsible
behavior.
Four paragraphs explaining the `attr_accessible` problem
--------------------------------------------------------
Ruby on Rails by default allowed web requests to update arbitrary database
fields unless those fields were declared `attr_protected`, or unless some other
fields in the same table ("model") were declared `attr_accessible`.
This means that, unless you're extremely careful, your Rails application would
allow random users to change things in your database that they shouldn't be
able to change or even see, just by guessing the names you'd given them and
typing those names into their browser. Egor Homakov reported this as a bug in
Rails. The Rails people argued it wasn't a bug, because people would be
extremely careful, unless they were stupid.
The Rails project keeps its source code on GitHub, which is written in Rails,
by some of the world's top Rails experts. Homakov found a place where they had
forgotten to use `attr_accessible` and used it to add a modify the Rails
project adding a file explaining that even the best Rails developers made that
mistake.
The Rails project fixed the problem.
GitHub's irresponsible response
-------------------------------
In [GitHub's blog post][0] almost a month ago, mojombo wrote, in part:
> Three days ago, user @homakov opened an issue on rails/rails about the
> prevalence of the mass-assignment vulnerability. Two days ago he responsibly
> disclosed a security vulnerability to us and we worked with him to fix it in
> a timely fashion. Today, he found and exploited the public key form update
> vulnerability without responsible disclosure. For this reason we temporarily
> suspended his account for violation of section A8 of the GitHub Terms of
> Service pending a full investigation into what happened. Now that we've had a
> chance to review his activity, and have determined that no malicious intent
> was present, @homakov's account has been reinstated.
>
> We haven't been as clear as we should have been on how to responsibly
> disclose security problems, and for that I'm sorry. To prevent future
> confusion about security-related account suspension, and to make explicit our
> stance on responsible disclosure, we have added a section entitled
> [Responsible Disclosure of Security Vulnerabilities][3] to our Security
> policy.
As [I posted][1] at the time, there's a big problem with this blog post. It's
not GitHub's place to set policy on what kind of disclosure is or isn't
"responsible". Egor Homakov's responsibility is not to GitHub; his
responsibility is to other users. His moral duty upon finding a security
vulnerability is to act in such a way that other users will be minimally hurt.
It appears that he has fulfilled that responsibility spectacularly in this
very unusual case, and he could not have done so by following GitHub's new
policy.
GitHub has no business demanding his, or your, agreement to a legal contract
that prohibits you from exercising your best judgment in such a case.
Furthermore, "responsible disclosure" is a propaganda euphemism for "allowing
irresponsible vendors to cover their asses, possibly at the expense of their
users". Terms like "responsible disclosure" have no place in a serious
discussion. Please see the [Responsible Disclosure blog post by the Google
security team][2] for further details.
What GitHub should do
---------------------
GitHub should change the *title* and *URL* of this section of their policy so
that it no longer accuses anyone who acts otherwise of acting irresponsibly,
retract the section of their blog post that accuses Homakov of acting of
irresponsibly, and publicly apologize for the accusation. The actual *content*
of the policy is exemplary.
Because GitHub is generally such a responsible company, I have a lot of hope
that they will do this once it is pointed out to them that it is the
responsible thing to do.
[0]: https://github.com/blog/1069-responsible-disclosure-policy "Responsible
Disclosure Policy, 2012-03-04"
[1]: http://news.ycombinator.com/item?id=3665427
[2]:
http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html
"Rebooting Responsible Disclosure: a focus on protecting end users, by Chris
Evans, Michal Zalewski, et al."
[3]: http://help.github.com/responsible-disclosure
--
To unsubscribe: http://lists.canonical.org/mailman/listinfo/kragen-tol
