Coordinated Vulnerability Disclosure (CVD) has become a critical aspect of security today. This practice protects technology users by timing mitigations with the public disclosure to reduce the opportunity for cyber criminals to exploit unresolved vulnerabilities. The process improves collaboration with researchers and affected technology companies for developing mitigations and sharing their findings. The cumulative benefits are broader industry resilience to common weaknesses, more secure products, and heightened public awareness and confidence.
When executed properly, CVD can reduce the chances of actual exploits, but success isn’t guaranteed. There are several main categories of security vulnerabilities and associated CVD programs. Digital services issues revolve around website vulnerabilities, such as those found in the OWASP Top Ten. And software vulnerabilities are design bugs or coding weaknesses in software platforms. These two categories are what people most often think of when they hear CVD, and can generally be addressed through code revisions and pushing updates. Hardware weaknesses and industrial control system (ICS) vulnerabilities are more challenging to mitigate and disclose due to the complex supply chains, various dependencies, and age of the systems involved – and thus are even more critical to address through CVD.
Each CVD program might look a little different depending on which types of vulnerabilities the organization may encounter. That said, there are universal elements that anyone managing one should consider. Here are seven best practices for improving a CVD program or building a new one today:
- Be honest with the company’s status. Only start a CVD program if the organization has the staff, time and resources to manage it effectively. The teams needs to have mechanisms in place that make bug submissions easy, and ticket management systems and defined processes for engaging with engineers to vet and develop mitigations for reported vulnerabilities. These elements might seem like common sense, but weak or incomplete CVD programs can do more harm than good and are more common than many might suspect.
- Understand the differences between bug hunters. There are a few general types of researchers most organizations encounter in the security space. Quiet helpers are those who report vulnerabilities on principle with no expectation of recognition or compensation. Recognition seekers are often academics or researchers looking to build a reputation for uncovering major vulnerabilities. Professional bug hunters pay the bills with bug bounties and will typically advocate for high severity scores because of the associated financial benefits. Understanding each of these groups, their unique motivations and how best to collaborate with them will allow the team to build the necessary incentives and processes into its program.
- Learn to identify credible submissions. Fielding vulnerability reports from untrustworthy or unqualified sources can be frustrating and cause the team to waste valuable time and resources. Establishing the who, what, where, when and how will save the company valuable time it will need later in the mitigation process. Who is responsible? What is acceptable? Where will the reports go? When will the company respond to reports? How did they discover this information?
- Develop a contingency plan. The CVD process often requires compromise. Every party involved has a unique perspective, which often means that goals and objectives do not align. In some cases disclosures will not go smoothly, and misunderstandings or competing objectives with come up. Having legal counsel and external communications team in the loop early will help reduce collateral damage if a disclosure becomes more challenging than anticipated. Try to work with the researcher, and if it’s a reasonable request and promotes end-user security, try to meet it.
- Establish a process with partners and customers. CVD demands open lines of communication with stakeholders. Reach out to partners and customers proactively, align with them on mitigation timelines and stay in touch throughout the entire disclosure process.
- Understand the importance of timing. There are no official standard timelines for CVD. However, for software vulnerabilities, many researchers expect 90 days from first alert to publishing the disclosure. Such deadlines may be impractical, so it’s important to clearly communicate with the researcher about timelines while developing a disclosure plan. Clearly communicate the decision-making criteria and take into consideration any other factors to which the researcher has other obligations, such as an upcoming conference presentation. Failing to communicate and work collaboratively with the researcher on the disclosure plan can result in a zero-day disclosure.
- Take the high road. Approach every situation from a place of well meaning. Assume good intent by default, while understanding that not every experience will work out. Instances of threats and extortion are not unheard of in this community. The culture has changed somewhat, but many people have had bad experiences. Some researchers demand payment for a bug before delivering any details – a tactic designed to intimidate companies into paying for non-critical or trivial issues. Develop a plan for these situations and communicate this plan to internal stakeholders to reduce fear, uncertainty and doubt. Always report any instances of direct or indirect extortion to the appropriate internal stakeholders or law enforcement. Organizations with a CVD program should clearly outline their disclosure terms and conditions. Such terms help researchers understand exactly where an organization stands on security research, and what products or services are within the scope of their program.
Historically, there has been friction between the between security researchers and vendors. But more organizations have begun to commit to progressive CVD programs because of the resulting practical (and reputational) benefits. Hardware CVD has its challenges, yet it represents one of the most critical aspects of building a trusted foundation for computing across the industry. Because of the foundational role hardware products play in business and society in general, hardware manufacturers should strive to mitigate vulnerabilities in an open, honest and transparent manner, so that vendors, partners and customers can proactively address second- or third-order risks down the chain. These best practices and industry resources can help any organization looking to develop an effective CVD program, build partner and customer confidence and support the technology ecosystem in earning trust.
Kathleen Trimble-Noble, director, PSIRT and Bug Bounty, Intel Corp.