1. 21
    1. 5

      The notice at the top of the paper is unique and awesome, and I love seeing NDSS taking action here:

      Statement from the NDSS 2021 Program Committee: NDSS is devoted to ethical principles and encourages the research community to ensure its work protects the privacy, security, and safety of users and others involved. While the NDSS 2021 PC appreciated the technical contributions of this paper, it was the subject of a debate in our community regarding the responsible disclosure of vulnerabilities for the Firefox web browser. The PC examined and discussed the ethics concerns raised and the authors’ response. Although no harm came to users, the authors’ oversight could have made a non-vulnerable browser vulnerable to the attack proposed in the paper. The PC does not believe the authors acted in bad faith. Nevertheless, we decided to add this note as well as the authors’ response (in an Appendix) to the paper because the NDSS PC takes both the ethics of responsible disclosure and fairness towards the authors seriously. It is the PC’s view that researchers must not engage in disclosure practices that subject users to an appreciable risk of substantial harm. NDSS will work with other conferences to further improve the transparency of vulnerability disclosure to reduce such errors in the future.

      1. 8

        That is unique and awesome. However… I find both the authors’ response and the conclusion that they did not act in bad faith quite hard to swallow.

        I remember being shocked by the bugzilla issue before I even knew any detail about the paper.

        In their response, they state:

        We informed all vulnerable browsers through reports in June2020, detailing our technique and the underlying issue – as we wrote in the paper “we have disclosed our findings to all affected browsers”. This disclosure took place even before we submitted our paper to NDSS in July 2020.

        and they later add that

        we simply (and unwisely) didn’t take Firefox into account during the disclosure process because it wasn’t susceptible to the attack.

        One of the authors joined Ars Technica to say in the comments:

        Our mistake at this point was not circling back with Mozilla and explaining that if they did fix this bug, the other vulnerability could show up - all of our attention was on refining our understanding of the weaknesses we discovered in other browsers.

        That all sounds reasonable in isolation, but if you read the actual issue in bugzilla you can see one of the papers’ authors asking, in late May, whether Mozilla planned to fix this.

        That feels a lot different than “we just opened an issue we found early in our exploration of the space, then forgot to follow up.” They were following up at very nearly the same time as they were disclosing vulnerabilities to other browsers. Given what they had to have known by late May, it’s hard to read this as anything besides trying to get Firefox to expose its users to the same issue they were seeing on other browsers.

        That’s much worse than failing to follow up.