alphaspirit - Fotolia
Identity management company Xceedium Inc. has patched several vulnerabilities that security researchers had brought to its attention, but only after a fifteen-day deadline for acknowledging the problem had passed and the hacks were disclosed by the research group.
This became an issue when modzero AG, an independent security analytics firm based in Switzerland, found some critical vulnerabilities in the Xsuite platform.
These were not disclosures for the faint of heart. "The issues we identified in the Xceedium Xsuite allow a full compromise of the system," Martin Schobert, IT security analyst at modzero, wrote in an email to SearchSecurity. "In other words, an attacker gets administrative privileges on the Xsuite host. Because the solution is used like a gateway to connect to other computer systems in a network, an attacker may collect login credentials for these other systems, too."
Thus, the Xsuite issues potentially affected entire networks. Just after discovering these vulnerabilities, modzero alerted Xceedium.
According to Xceedium, the company made a conscious decision not to respond to the notification. "It's really unusual for us to interact with third parties -- someone who is not a customer or who doesn't have some sort of agreement with the organization," said Dale Gardner, senior director of product marketing at Xceedium. "The reason for that is that we have a variety of different customers -- a lot of whom have very sensitive environments."
In other words, Xceedium knew full well it could have prevented the Xsuite vulnerabilities from being disclosed -- and potentially harming customers -- with a response. But even something as simple as acknowledging the vulnerability alert was received would have put Xceedium in breach of confidentiality and nondisclosure agreements with customers, Gardner said.
"Responding to modzero would have put us in breach of those agreements and in violation of the stringent security policies we maintain, which we believe are essential to maintaining the success of Xsuite in protecting our customers," Gardner said, adding that Xceedium did communicate with customers and partners about the modzero report to mitigate the risks of the Xsuite vulnerabilities.
Modzero, of course, has its own vulnerability disclosure policy. According to Schobert, a vendor has at least 90 days to address the vulnerabilities that modzero points out. Modzero said it is very flexible with this timeline; however, the vendor is required to respond to the security firm -- something Xceedium did not do.
"We expect to get at least some kind of response within five business days," Schobert wrote. "If the vendor fails to give any kind of response, modzero publishes details about a security issue within 15 business days."
According to a timeline provided by modzero, the company sent notice to Xceedium on June 19, heard nothing, and then issued a full disclosure on July 22.
Schobert said that what they expect is "proper feedback." A company might, for example, "state that something will be proposed within three weeks. We contacted the vendor twice, but we got no feedback at all."
Xceedium's Gardner said that Xceedium had already been made aware of the vulnerabilities from a customer, was already working on patches and that the patches were in place a few weeks later. He estimated that it was on June 24th, two days after modzero's public disclosure.
Asked whether he thought modzero's vulnerability disclosure policy was too harsh and two weeks was an unreasonable deadline for response, Gardner was noncommittal. "I know security researchers will do that," Gardner said. "Sometimes they have different time frames. From our perspective … we try to move as quickly as possible to address vulnerabilities that were raised and to provide the fixes and updates to our customers."
If Xceedium felt that modzero was too quick off the mark, they wouldn't be the first company to think so, as was the case with Google Zero's disclosure of Microsoft bugs.
Schobert was not aware of any exploits of the vulnerabilities in the wild. He explained that modzero was never in direct contact with Xceedium, and was not aware if the vulnerabilities had been patched at all. Gardner also stated that he had not heard of any successful exploits of the vulnerabilities before they were patched.