Be honest with the company’s status. Only start a CVD program if the organization has the staff, time and resources to manage it effectively. The teams needs to have mechanisms in place that make bug submissions easy, and ticket management systems and defined processes for engaging with engineers to vet and develop mitigations for reported vulnerabilities. These elements might seem like common sense, but weak or incomplete CVD programs can do more harm than good and are more common than many might suspect.
Understand the differences between bug hunters. There are a few general types of researchers most organizations encounter in the security space. Quiet helpers are those who report vulnerabilities on principle with no expectation of recognition or compensation. Recognition seekers are often academics or researchers looking to build a reputation for uncovering major vulnerabilities. Professional bug hunters pay the bills with bug bounties and will typically advocate for high severity scores because of the associated financial benefits. Understanding each of these groups, their unique motivations and how best to collaborate with them will allow the team to build the necessary incentives and processes into its program.
Learn to identify credible submissions. Fielding vulnerability reports from untrustworthy or unqualified sources can be frustrating and cause the team to waste valuable time and resources. Establishing the who, what, where, when and how will save the company valuable time it will need later in the mitigation process. Who is responsible? What is acceptable? Where will the reports go? When will the company respond to reports? How did they discover this information?
Develop a contingency plan. The CVD process often requires compromise. Every party involved has a unique perspective, which often means that goals and objectives do not align. In some cases disclosures will not go smoothly, and misunderstandings or competing objectives with come up. Having legal counsel and external communications team in the loop early will help reduce collateral damage if a disclosure becomes more challenging than anticipated. Try to work with the researcher, and if it’s a reasonable request and promotes end-user security, try to meet it.
Establish a process with partners and customers. CVD demands open lines of communication with stakeholders. Reach out to partners and customers proactively, align with them on mitigation timelines and stay in touch throughout the entire disclosure process.
Understand the importance of timing. There are no official standard timelines for CVD. However, for software vulnerabilities, many researchers expect 90 days from first alert to publishing the disclosure. Such deadlines may be impractical, so it’s important to clearly communicate with the researcher about timelines while developing a disclosure plan. Clearly communicate the decision-making criteria and take into consideration any other factors to which the researcher has other obligations, such as an upcoming conference presentation. Failing to communicate and work collaboratively with the researcher on the disclosure plan can result in a zero-day disclosure.
Take the high road. Approach every situation from a place of well meaning. Assume good intent by default, while understanding that not every experience will work out. Instances of threats and extortion are not unheard of in this community. The culture has changed somewhat, but many people have had bad experiences. Some researchers demand payment for a bug before delivering any details – a tactic designed to intimidate companies into paying for non-critical or trivial issues. Develop a plan for these situations and communicate this plan to internal stakeholders to reduce fear, uncertainty and doubt. Always report any instances of direct or indirect extortion to the appropriate internal stakeholders or law enforcement. Organizations with a CVD program should clearly outline their disclosure terms and conditions. Such terms help researchers understand exactly where an organization stands on security research, and what products or services are within the scope of their program.
Medtronic disclosed a critical vulnerability in all MiniMed Remote Controllers used in certain insulin pumps in 2018. Medtronic has since recalled the devices, which the FDA identified as the most serious type of recall.