The debate on what constitutes responsible disclosure has been running for some 20 years, with no end in sight. It’s not difficult to see why, with passionate researchers always on the hunt for bugs, big variances from vendors when it comes to fixing issues, and reputations to build and preserve on both sides.
To understand the best approach to responsible disclosure, it is important for CISOs to first appreciate how controversy arises. The most common cause is where technical details of a vulnerability are published before a fix is available or widely adopted, particularly when accompanied by easily reusable proof-of-concept exploit code.
On the one side are those who consider the researchers to be acting irresponsibly by enabling real attackers and drawing attention to issues. On the other side are those who consider such disclosure to be in the public interest – helping product users to make informed decisions and implement their own detections and mitigations in the absence of a vendor patch or fix.
The most mature software providers face a lot of public scrutiny around how responsive and responsible their disclosure and remediation efforts are.
This debate will no doubt continue to rage on. But when you look at many of the controversial full disclosures that have happened over the years, communication, or lack of it, is at the root. Clearly setting out the rules of engagement goes a long way to improving things.
For example, although 90-120 days is considered by many a reasonable maximum timeframe to remediate or face public disclosure, according to Project Zero: policy and disclosure: 2021 edition, we have seen numerous cases where it has taken a year or more for an organisation to provide a full fix for a reported bug.
This is particularly the case with less mature companies, especially those deploying internet of things (IoT) devices that are hard to update and rely heavily on third-party component or software providers to provide a fix that can then be integrated into their product.
The good news is that things are much clearer than they used to be for the typical CISO, especially those working for firms not engaged primarily in software development.
There is a wide range of good practice guidance and standards available, such as the NCSC’s Vulnerability Disclosure Toolkit – NCSC.gov.uk and ISO – ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure. These provide CISOs and security managers with clear advice on how to establish communication channels and set expectations. CISOs can broadcast these through their organisation’s website, or make it easier to find by adopting the emergent security.txt standard (security.txt: Proposed standard for defining security policies (securitytxt.org)).
Bug bounties also make it simple for organisations to proactively solicit bug submissions from public researchers. However, they are intended to supplement, rather than replace, a well-organised and structured security assurance programme. They should also be accompanied by investment into teams to triage and promptly resolve inbound bugs.
Adopting the above points should make it easy for a security researcher to find out where to report vulnerabilities and help to reduce the chance that vulnerability reports will end up lost in an unmonitored mailbox. They would also set expectations around how long a fix will take and whether the researcher can expect a reward or acknowledgement for reporting an issue.
Most researchers will wait before publicising vulnerabilities if the organisation can be contacted, is responsive and provides regular updates signifying that it is progressing with a fix.
Alongside this, CISOs and security teams are well advised to keep a close eye on high-profile public disclosures and industry news, so they are aware of the latest unpatched or actively exploited vulnerabilities and can respond quickly when something beyond the standard patch management cycle is needed.
In summary, there are now plenty of tools and guidance available to equip CISOs to handle vulnerability disclosure well. Most people reporting genuine vulnerabilities have good intentions – clear communication and good administration of any disclosure programme is the key to minimising issues. Anything that helps strengthen security and protects companies from real malicious hackers must be a good thing and should be embraced by CISOs.
