Roles and responsibilities for efficient vulnerability disclosure
April 16, 2020
Vulnerability disclosure must be coordinated to be responsible and is an opportunity to empower the various participants. Coordination means that stakeholders understand their roles and responsibilities. Here’s a handy infographic to put confused minds at ease. It is available in English and en français.
The number of connected digital services (Internet, Bluetooth, etc.) grows. And with it, the issue of vulnerability disclosure management is becoming increasingly urgent. Unknown vulnerabilities constitute a risk. System managers, software publishers and their users must be able to identify that risk to fix. Appropriate management and disclosure of all vulnerabilities are essential for reducing digital security risks.
The question of vulnerability disclosure management is gradually becoming more urgent as the number of connected digital services (Internet, Bluetooth, etc.) increases. Yet, this issue is not new: ever since we began creating digital products and services, the subject of vulnerability disclosure has ignited debates within the information security community.
Creating software that meets all security requirements is no small challenge. It is thus crucial to identify and correct vulnerabilities as fast as possible to prevent their mobilisation by malicious individuals. Information systems are better protected when vulnerabilities are discovered and dealt with.
Vulnerability disclosure must be coordinated to be responsible. It is also an opportunity to empower the various stakeholders. All digital service providers, both public and private, are responsible—not only for the development of the best software possible but also for the responsible management of vulnerabilities.
Identifying a bug is within reach of many individuals. There is no need to work inside a company to recognise a malfunction leading to a security risk. Well-intentioned individuals often identify vulnerabilities and then seek to warn the organisation in question so that they can fix it.
Obstacles to coordinated vulnerability disclosure
Besides, it is a far more delicate situation for an individual outside of the organisation to report the vulnerability. It is impossible to address vulnerability disclosure without considering the motivations of the individuals reporting the bugs in an information system. Depending on the answer to this question, legal penalties may apply. Such legal uncertainty is a frequent hurdle to reporting a vulnerability.
Another obstacle to coordinated disclosure is the absence of a clear and secure communication channel enabling the escalation of active vulnerabilities. Indeed, most organisations with an online presence have no means dedicated to receiving reports of information system bugs. This deficiency explains in part why the organisation in question remains silent in response to reports from well-meaning individuals. This silence endangers the users of the vulnerable service.
Last but never the least, disclosure without anticipating the remediation timeline can also lead to negative consequences for the users.
These issues underscore the need for a transparent and smooth decision-making process. It ensures the digital security of individuals as well as public and private stakeholders and protects the rule of law online.
Clear roles and responsibilities are part of the right answer
Hence, the challenge is to get an ethical hacker who had found a vulnerability to report it to a system manager. The latter can then fix it and mitigate the relevant user risks without harming the hacker in the process. It is thus necessary to put in place a vulnerability disclosure system that benefits all stakeholders. You guessed that right: it is coordinated vulnerability disclosure (CVD). The latter is structured cooperation where ethical hackers report vulnerabilities to the manager of the information system in question.
Any company or public organisation can implement CVD and enable a direct report of the vulnerability to the most relevant entity. It can also involve an intermediary. In both cases, the approach is a coordinated vulnerability disclosure. That process allows an organisation to remedy the loophole before any detailed information concerning it goes public, with all of the negative implications that this can cause.
We have created the infographic below to better grasp the roles and responsibilities of the various participants to a CVD. Indeed, knowing who does what to reduce digital risk must not be a modern whodunit. Below, you can download the high-resolution file in English and en français. It is free to use under the terms of the CC-by-NC-SA licence.