Security Issues and Volunteers

by Benjamin Peterson
published 2016-01-18

I’ve been responding to CPython security reports (what gets sent to security@python.org) for more than half a decade. In this post, I explain the frustrating aspects of dealing with security issues as a volunteer.

Poorly written and invalid bug reports are a fact of open–source life. CPython receives plenty through bugs.python.org. Thankfully, there are also many volunteers around to gently explain to newbies that, for example, 0.6 + 0.3 equaling 0.899999999 is just the way floating–point arithmetic works. The work of triaging security bug reports, though, falls on a small group of people by design. The signal–to–noise ratio is much worse than normal bugs; most reports sent to us are completely bogus. python.org, in particular, attracts technically–illiterate people armed with automatic security scanners. (Someone once reported that python.org was pwned and hosting “malicious” binaries, which turned out to be signed Python Windows installers.) At the same time, missing a real vulnerability is unacceptable. Consequently, someone has to scrutinize every bug report consisting of nothing but screenshots of CMD.EXE. Unsurprisingly, there usually isn’t any vulnerability.

The discovery of a legitimate security bug triggers a number of tasks:

Write and test a fix for the issue in coordination with the owner of the vulnerable code. Backport the fix to older releases, which may have completely different code. (CPython presently supports 5 branches with security fixes.) Ensure the fix causes minimal compatibiltiy breakage.
Look for and address any similar vulnerabilities.
Write up a disclosure report and request a CVE number.
Provide early notification to distributors.
Make the security releases and announcements.

I participate in open–source work largely for the pleasure of writing useful software. It’s normally gratifying to implement a new feature or fix an obnoxious bug. In contrast, I extract scant joy from the above proceedings, which easily suck up hours of my and other’s free time. Users are unhappy because they have to drop everything and upgrade. They’re particularly unhappy if the security fix breaks their programs. A security disclosure brings negative attention to a project, which is stressful for the community.

One of the final tasks is to confirm with the reporter than their bug has been fixed and thank them. Commonly, graditude is met with an inquiry about how much their bounty will be. I appreciate the ingenuity required to find many security issues, but the clueless entitlement of some bug reporters vexes me. (Multiple times, on learning that CPython will not pay them a bounty, reporters have asked if they can at least get a T-shirt or a place of honor in some “Hall of Fame” they imagine we have.) Bounties make sense for companies preferring that if vulnerabilities in their software are being sold, they be the ones purchasing them. Unfortunately, some people believe they deserve several thousand dollars from a volunteer open–source community for finding a buffer overflow.

There is often a public shaming of projects with security vulnerabilities. Shame is appropriate tool to force makers of antivirus software that backdoors your browser to clean up their act. In the open–source world, however, shaming demotivates volunteers, which is counterproductive to fixing security issues. We need your empathy—or at least your money—to do our best by our users.