The Vulnerability Conundrum: Improving the Disclosure Process
The vulnerability disclosure process involves reporting security flaws in software or hardware, and can be complex. Cooperation between the organization responsible for the software or hardware, and the security researcher who discovers the vulnerability can be complicated.
In this blog we’ll look at the vulnerability disclosure process, the parties involved and how they can collaborate productively.
Many vulnerabilities are discovered by a security practitioner acting independently. The researcher’s motivations can vary widely: building a relationship with the vendor; collecting a bug bounty; or receiving media attention. For the company, the disclosure will often create a bump in the road and require fixing the issue, alerting affected customers, and managing the media.
To achieve a proper security posture, organizations must address many layers: tools, systems, processes, regulations, training, and procedures, and more. A Vulnerability Disclosure Program (VDP) gives organizations another layer of protection — specifically to deal with unexpected situations that might include unusual or creative attack vectors. With cyberattacks evolving and criminals becoming ever more inventive, companies are left exposed and often unprepared to face a breach’s repercussions, so encouraging controlled disclosure of vulnerabilities is crucial.
As a CVE Naming Authority (CNA) with a security research team that has extensive experience in discovering and disclosing high-impact vulnerabilities, we’re sharing information and advice on the delicate relationship between vendors and researchers during the disclosure process.
The risk for vendors
Every organization is part of a software supply chain with hundreds of other companies. As a supply chain is only as strong as its weakest security link, an exploited security weakness could disrupt their operations and cause revenue and reputation damages until remediation and patching take place.
Companies often lack in-house measures to identify and mitigate security issues. In some industries, like connected devices and IoT, this issue becomes increasingly challenging because patching is harder. In addition, manual penetration testing and security audits for these systems can be time- and resource-intensive, and do not scale well. Thus, vulnerabilities can go unnoticed or remain unpatched for a long time. A breach in software systems like those found in industrial control systems, automotive ECUs, medical devices, or critical infrastructure can have regulatory ramifications if a disclosed vulnerability has been left unpatched. Needless to say, this is on top of the financial and reputational damages.
Security researchers can expose new vulnerabilities unknown to the vendor, and thus initiate a path to fixing security gaps before attackers find them. However, a conflict between the impacted organization and the security researcher could result in failure to mitigate the exposure promptly, leaving open the window for exploitation by attackers.
Improving The Relationship Between Researchers and Organizations
To reduce these risks, the organization must establish the scope and terms of a vulnerability disclosure program, provide a clear method for researchers to securely report vulnerabilities, and respond to reports in an appropriate time frame. Organizations also must communicate openly with the researchers and others in their business ecosystem. The publication of timely security advisories, patches, and changelogs will reduce misunderstandings and conflict, and nurture trust between vendors and their customers.
Security stakeholders must also contribute to a conflict-free disclosure process. Researchers sometimes disclose ‘technical’ vulnerabilities, and while valid theoretically, attackers can’t exploit them. Communicating these to the vendor could cause unnecessary panic and make the vendor less receptive — even openly hostile towards other disclosures of vulnerabilities that can cause real damage. By being more judicious in this regard, researchers are more likely to get the buy-in from organizations to have vulnerabilities fixed.
Researchers must ensure their testing is legal and authorized throughout the vulnerability disclosure process, while respecting privacy regulations. They must also take every reasonable measure to contact the organization and provide sufficient details for them to verify and reproduce the vulnerability, all while keeping the specific technical details of the vulnerabilities in confidence and secure. Most importantly, researchers should not demand payment or rewards for reporting any vulnerabilities found outside a bug bounty program.
Researchers must be aware that their security reports may be handled by developers or IT staff who lack a security background. As a result, they may be unfamiliar with many security concepts and terminology. That’s why security researchers should outline the details and impacts of the vulnerability clearly and concisely, so their reports can be universally understood, even by those without a security background.
As the amount, variety and complexity of software continue to rise, vulnerability disclosures will become increasingly important to keep businesses and consumers safe. With dozens of vulnerabilities found each day, companies must provide obvious and easy ways for external parties to report vulnerabilities. As vulnerability disclosure processes become common practice, organizations can provide their customers with peace of mind by actively looking for and remediating vulnerabilities. For additional information on the coordinated disclosure process, see this paper from CMU CERT/CC and these guidelines by ENISA.
Vulnerability disclosures help prevent the massive harm that breaches can have on businesses: shutting down operations, damaging supply chains, and fuelling PR nightmares, ultimately resulting in fewer new features delivered, loss of revenue, and damaged brand reputation. Implementing an effective and efficient vulnerability disclosure process can reduce the risk of security flaws being exploited by cybercriminals. A VDP creates a system for organizations and researchers to work together, find vulnerabilities before they can be taken advantage of, and protect essential data from exploitation — and stay a step ahead of cybercriminals.
In addition to discovering and responsibly disclosing vulnerabilities as part of our day-to-day activities, the JFrog security research team works to enhance software security by empowering organizations to discover vulnerabilities through automated security analysis. For more information and updates about the JFrog DevOps Platform security features learn more about JFrog’s security offerings.