Coordinated Vulnerability Disclosure policy for a safer cyberspace
August 6, 2020
The urgency of vulnerability disclosure management increases with the growing number of connected digital products and services. Yet, this concern is hardly new: ever since we began creating technology, the subject of vulnerability disclosure has ignited debates within the information security community. Identifying a bug is within reach of many individuals. There is no need to work inside a company to recognise a malfunction leading to a security risk. Well-intentioned people often identify vulnerabilities and then seek to warn the organisation in question so that they can fix it.
Coordinated vulnerability disclosure (CVD) is the structured cooperation where well-meaning hackers report vulnerabilities to the manager of the information system in question. The latter ensures the bug gets fixed, ideally in close collaboration with the vulnerability reporter, thus reducing the risk. The well-meaning individual having identified the vulnerability gets a “thanks” or a mention in a Hall of Fame; even better, they can share the insights with peers through publications and conferences. All is well that ends well.
We have said it before, we repeat it now: coordinated vulnerability disclosure is a process, not an isolated event. Firstly, it requires everyone to understand their respective roles and responsibilities around vulnerability disclosure. Secondly, adopting the right tools enables people to act according to their responsibilities. Thirdly, connecting people to tools happens through processes and actions of (security) governance. Together, these three components create a healthy environment, encouraging collaboration and reducing digital risk over the long-term.
We need clear legal guidelines
However beneficial such an approach may be, legal barriers or legal uncertainty continue to be a significant barrier to the widespread adoption of CVD. Below, we focus on how to create a legal environment where the well-meaning hacker feels sufficiently protected to report a vulnerability to the manager of the information system concerned, who will then ensure rapid remediation.
To date, only individual EU Member States are considering the creation of a national CVD policy. Two countries have already implemented a countervailing duty policy. Still, the other Member States have no immediate plans in this area. A weighty barrier to the implementation of schemes about countervailing duty policies in the EU is the absence of a single interpretation among the member States of what constitutes “hacking”.
Implementation of a coordinated vulnerability disclosure policy at the European level (adapted from CEPS, 2018).
As a result, legislators need to provide the legal security necessary to individuals acting in good faith involved in the discovery of vulnerabilities. As such, it is essential to put appropriate disclosure processes in place through supplementary advice and better practices.
To this end, we formulate proposals for legislative action on the national and European levels.
Improve policy through the national legislature
The Member States should act to create the legal security necessary for researchers involved in vulnerability discovery by revising national legislation. Such evolution in law-making is prone to enable the recognition of ethical hacking and to offer the legal clarity security researchers need. In France, several potential avenues exist that allow for fluidification of constructive interactions between ethical hackers and the information system managers concerned.
A revision of the Penal Code is required to ensure better protection for well-meaning hackers. This adaptation will introduce the conditions of protection for security researchers acting in good faith from eventual prosecution undertaken by the publisher of the software concerned, its subcontractor and its operators. Likewise, for example, the June 2018 version of the French Data Protection Act could be amended to include the terms of protection for ethical researchers.
The law could require companies to display on their website the process to use in the event of vulnerability discovery to consolidate awareness of the challenges of identifying and remediating vulnerabilities. In a first phase, this obligation would concern operators of vital importance (e.g. as per France’s Military Programming Law), the operators of essential services and the suppliers of digital services (as per the European NIS Directive). The obligation can then extend to any organisation and business.
Harmonise CVD guidelines at the European level
The European framework, just emerging and incomplete in terms of coordinated vulnerability disclosure, is yet to allow for the harmonisation of legislation and/or practices within the EU. Indeed, European policies are primarily intended for public or private organisations, but not for the Member States themselves. A somewhat fragmented European landscape accompanies the absence of a robust European policy regarding the protection of good-faith security researchers and CVD.
However, the European Union is gradually taking up the subject of CVD, as shown by the inclusion of requirements relevant to vulnerability disclosure in the Cybersecurity Act. Its practical implementation will provide answers about the actual impact of the text on CVD. The future European Centre for Industrial, Technological and Cybersecurity Research Skills could also finance projects aimed at improving coordinated vulnerability disclosure practices in Europe. Minimum harmonisation of European legislation is necessary to reduce the legal uncertainty faced by a large number of security researchers, particularly in cross border situations.
To reinforce and consolidate efforts encouraging standard rules and procedures between the Member States that enable a shared process for coordinated disclosure for software vulnerabilities in Europe, the EU could:
- Amend the Cybercrime Directive (Directive 2013/40/EU on attacks on information systems) to include CVD, promote the protection of security researchers and encourage participation in vulnerability disclosure programmes. Article 3 of the Directive could thus be amended so that the Member States take the specific case of well-meaning hackers into account in their national legislation. Such minimal harmonisation would provide hackers with increased protection, particularly in cross border situations;
- Invite the Member States to implement policies encouraging private and public entities to establish their CVD policies, as in the Netherlands. The Member States should ensure that well-intentioned hackers are not subject to criminal prosecution if they take part in CVD. As such, a global European policy would complement the amendments of the Cybercrime Directive in concrete terms; it would also ensure that Member States maintain the spirit of the text by adapting their national legislation;
- Promote a harmonised and fair intergovernmental CVD process in Europe. Governments may be led to acquire information about software vulnerabilities. The Member States should facilitate the adoption of rigorous policies to review and coordinate vulnerability disclosure at the government level and through their agencies. To remedy this lack of effort, we recommend that the Member States adopt policies and practices developed for information sharing. These activities should be subject to independent oversight and should involve all relevant ministries and agencies. The coordinating body leading this effort should be hosted in a civil agency with CVD expertise and should operate on a policy of immediate disclosure to relevant publishers to facilitate the rapid remediation of any vulnerability.
- Focus on, via ENISA, the republication of a guide with the appropriate course of action to be taken. It would answer questions raised in the 2015 edition;
- Implement specific training focused on all questions that can occur in the CVD context, whether at a technical level or a legal one.
Getting the law on the same page with actual practice will contribute to a world where risk reduction accompanies technology development.