Sound policy for a vulnerable-by-default cyberspace

February 11, 2021


For the past year and a half, the OECD has been defining guidelines around efficient vulnerability reduction. The final report is out today and is well worth a read. As active contributors to this guideline, we have summarised the main takeaways below.

It is not the first time an international institution enters the playfield. The OECD report builds upon earlier work: we have come a long way. Still, we need to pursue action to inscribe vulnerability non-proliferation in policy worldwide.

Our TL;DR: It is time to enforce public policies encouraging coordinated vulnerability disclosure for public and private organisations alike. That effort must happen on both the national and international levels. The OECD policy brief is also a great educational tool for policy-makers.

More detailed key takeaways are below. Chunks in italics are direct citations from the report.

Rationale and conclusions

Coordinated vulnerability disclosure (CVD) is an efficient way to identify and fix vulnerabilities. Tools such as vulnerability disclosure policies (VDP) and bug bounty (referred to as “market intermediaries”) are all ways to do so. The report builds upon those observations to provide public policy guidance. “As stakeholders involved in CVD are often located in different countries, it is expected that such guidance would help reduce potential fragmentation of approaches across jurisdictions and contribute to reducing digital security risk globally.” An abridged version of the most salient points is below.

✔ Breaking the “vulnerability taboo”: Economic and social challenges prevent stakeholders from adopting good practice, including a lack of awareness and co-operation, limited market incentives, legal barriers, limited trust in government, and a lack of resources and skills.

✔ Treating vulnerabilities is a shared responsibility amongst vulnerability owners. In the era of digital transformation, it is grossly irresponsible to develop code and maintain systems while ignoring the consequences of the vulnerabilities that may emerge over time. Producers and system owners need to establish processes to treat vulnerabilities systematically and proactively in order to decrease risk for themselves and others.

✔ Ethical hackers and white hats can help substantially reduce digital security risk by reporting vulnerabilities. But they are sometimes threatened with legal proceedings by some businesses and governments, which creates a chilling effect. They need safe harbours.

✔ Stakeholders often do not trust governments. Stockpiling and weaponising vulnerabilities, implanting backdoors, and buying vulnerabilities on black or grey markets affect stakeholders’ trust.

✔ Governments can take many actions to encourage the adoption of good practice for vulnerability treatment, such as changing the culture related to vulnerabilities, protecting ethical hackers, leading by example, addressing the grey market, and co-operating internationally.

YesWeHack’s takeaways

There is no such thing as a vulnerability-free service. So, we need to mainstream approaches that enable vulnerability non-proliferation and reduction. To hunt for and fix security weaknesses needs to become a core priority for cybersecurity professionals and decision-makers alike.

🎯 Culture change: The reality is best described as “vulnerable-by-default”. Acknowledging this does not lessen the value of an organisation or a leader. On the contrary, it makes them more trustworthy. The best way to approach vulnerabilities is to bless the need to fix them.

🎯 Roles and responsibilities: To be responsible, vulnerability disclosure must be coordinated. As we have consistently stated, CVD is not a product; it is a process. Knowing who does what to reduce digital risk must not be a modern whodunit. Any company or public organisation can implement CVD and enable a direct report of the vulnerability to the most relevant entity. It can also involve an intermediary. In both cases, the approach is a coordinated vulnerability disclosure.

🎯 Safe harbour: Ethical hackers can make significant contributions to increasing the digital security of products and services. Yet, legal uncertainty bars an overwhelming majority of well-intentioned people to help reduce risk. We have called, times and times again, for removing ambiguity and pacifying the legal environment. Doing so will remove unnecessary obstacles to coordinated vulnerability disclosure. An international model in this field is essential to avoid all uncoordinated public disclosure. As such, guaranteeing protection for ethical security researchers is paramount.

🎯 Transparency: The global and lasting reduction of risk will come from public-private cooperation. Identifying and fixing security vulnerabilities is a shared responsibility. Being open about how you protect users means leading by example. Besides, it builds trust. Government actors are particularly at aim here: public scrutiny has identified many cases of acquiring and weaponising vulnerabilities. The Paris Call, to which YesWeHack is a first-time signatory, is the most prominent international convener of efforts to foster trust in governments’ role.

🎯 Policy effort is required: Still, slow action or inaction have an increasingly severe impact against the backdrop of pervasive digital transformation. Policy-makers need to address it both nationally and internationally. Guidelines already exist to inform country-level and EU legislators about what to tackle and how to further global standards.

What next?

Despite the clear security and economic impact of vulnerabilities, policy attention has shied away. Drawing policy-makers to more substantial commitments to vulnerability treatment is a sound way to enforce safer cyberspace for all. But we need not wait for legal and regulatory to act now: the tools exist and are within reach. Use them to find and fix vulnerabilities, that is, to help keep the Internet safer.

Policy avenues

Read our acclaimed wrap-up of ways to promote sound policy on coordinated vulnerability disclosure at the national and the EU levels.

Read More

Practical CVD

You have been wondering how to approach vulnerability reduction in everyday operations? Wonder no more, we have the right guide right here.

Read More