WikiLeaks promised it would share details of the CIA hacks found in the Vault 7 documents with affected vendors,...
but the outlet also has mysterious demands it wants met before disclosing vulnerability information.
When WikiLeaks first claimed it would work with the software vendors to patch the vulnerabilities found in the CIA hacks, experts were wary of whether WikiLeaks could follow through on its promises. WikiLeaks has reportedly made contact with companies to begin the responsible disclosure process, but also reportedly has certain demands it wants met before sharing information.
According to Motherboard, multiple sources claimed WikiLeaks contacted Apple, Google, Microsoft and other companies referenced in the Vault 7 documents and asked those companies "to sign off on a series of conditions before being able to receive the actual technical details to deploy patches."
A Microsoft spokesperson confirmed contact was made by WikiLeaks and Microsoft has "followed up, treating them as [it] would any other finder." As of this post, neither Apple nor Google responded to requests for similar confirmation.
Experts debate WikiLeaks demands
While the details of WikiLeaks' demands remain unknown, one alleged requirement, according to Motherboard, would be a 90-day patch deadline to remediate any vulnerabilities found in the Vault 7 CIA hacks.
Chris Eng, vice president of research at Veracode, said a strict 90-day deadline "may sound reasonable on the surface, [but] it fails to account for the complexity of the vulnerability."
"A common fallacy is that if the bug is easy to exploit it must be easy to fix," Eng told SearchSecurity. "Only the vendor is in a position to evaluate and recommend a remediation timeframe. What's reasonable is that the vendor maintains an open line of communication with the finder."
Igor Baikalov, chief scientist at Securonix, said a 90-day deadline "is a reasonable and widely accepted practice," noting this is standard policy for Google's Project Zero.
"If Apple and Google products are truly secure from the CIA hacks obtained by WikiLeaks, then there would be no harm for these companies to meet WikiLeaks requirements, as far as we know them," Baikalov told SearchSecurity. "Or have they already obtained the details directly from the CIA? In either case, it seems that the WikiLeaks' ploy to stress government ties of the companies as the reason for delayed response worked."
Chris Carlson, vice president of product management at Qualys, also said companies may be wary of WikiLeaks because of the outlet's potential interest to impact the government's offensive cyber capabilities.
"WikiLeaks might be using threat of embarrassment as leverage over vendors to release security patches if it has proof that there is collusion between vendors and the U.S. government," Carlson told SearchSecurity. "While enterprises will benefit from zero-day vulnerability disclosure and vendors releasing security patches, it's hard to believe that WikiLeaks really cares about enterprise users. More likely, WikiLeaks is trying to impair nation states that are using and benefiting from these zero days by forcing vendors to acknowledge and release security patches."
Chris Sullivan, CISO and CTO at Core Security, said vendors may not have time to delay patching the vulnerabilities found in the CIA hacks.
"We will not wait indefinitely for the vendor [when disclosing flaws] because adversaries may have found the same vulnerability and could be using it undetected. If the vendor is uncooperative, we will release our security advisory anyway. In that way at least defenders know what [indicators of compromise] to look for and can implement compensating controls," Sullivan told SearchSecurity. "If WikiLeaks demands are along these lines, then they are behaving responsively. If they are getting ready to extort the vendor then I suspect they will lose a lot of credibility and trust."
Learn about the confusion caused by the leak of the Vault 7 CIA hacks.
Find out why both WikiLeaks and the CIA have come under fire about responsible vulnerability disclosure.
Get info on why Cisco extended its responsible disclosure deadline to 90 days.