During our work we naturally encounter vulnerabilities and security related issues which present an immediate risk to specific organizations and/or the public. Deciding what to do with a vulnerability is not an easy decision since from the moment you know about it in a way you share the responsibility on might happen to the people that may be affected by it.
Today in the world there are several approaches, here is a brief summary on them:
- Immediately disclosing it to the public in full detail where the main argument for that is the fact that you alert the world immediately about the problem and the impacted audience can take immediate measures to mitigate it until the company whom is responsible for the vulnerability will address it. The cons for such a disclosure policy is the fact that this knowledge can fall in the “wrong” hands and from the moment it can be used for malicious purposes. From the moment of disclosure up to the moment it is fixed there is a window of time of exposed risk. One of the main supporters for such an approach is Bruce Schneier where he elaborates on the topic in his famous post of “Schneier: Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea’“.
- Disclosing only general details about the issue, which can hint on the impact but can not lead to the attack details itself and in the same time contacting the responsible company and providing them the full details of the vulnerability. Once the company issues a fix to the vulnerability then from this point it can go in two ways: either fully disclosing the details in order to provide awareness to the impacted audience as well as to the security industry in order to further scrutinize the topic and maybe come up with more insights which can eventually progress the state of the security related to that matter. The second option is keeping it confidential with all the ramifications of such a decision.
The tricky part is what happens in the following scenario: You disclosed a vulnerability to a company and the company does not issue a fix or claims that it is not an issue. This is a challenging dilemma. On one hand you still did not disclose it to the public and you still believe it is important while on the other hand the company rejects your findings.
Anyway, we at the cyber security labs have adopted a “Responsible Full Disclosure Policy” (similar to the one suggestd by Netflix) where it means that we:
- Issue a general public notice on the matter (from now on via this blog) without any details that can lead someone to reconstruct an attack based on the vulnerability.
- Contact the company with full details on the vulnerability and assist in the investigation. During the investigation we will update the original blog post with updates.
- Once the investigation ends we will publish in the blog post a full disclosure on the matter. The full disclosure will be published in agreement with the company and after a fix has been issued or any other terminal statement from the company regarding the matter. In case of special circumstances we will provide explanation to our actions if differ from this policy.
We believe this is the best approach since we do not risk too much the impacted audience with our first disclosure prior to a fix, we help the company solve the issue and we contribute eventually to the evolvement of the state of security with our detailed disclosure. One can ask, why do you provide the first notification to the public? What’s the value in it? The general notice to the public has two value points:
- We bring to the public awareness the fact that there is an issue with a specific product/technology where each person can seek for help on how to mitigate it temporarily until a fix is published. We will also publish as part of the disclosure report set of recommendations to the impacted audience on how to protect themselves. Sometimes there is no much to do about it without a fix but still even being aware to it and not using it is in a option. If someone does not know about it then we are in a way putting him/her in a risk while keeping it secret.
- Notify the company which receives the vulnerability report that there is public awareness to their investigation. We will be fully transparent on all reports and progress in the investigation including the case where our original report was not accurate. If we make mistakes (which can happen) we will admit them publicly.
IBM’s Security Intelligence team disclosure policy (or at least best practice) is a great example of a highly professional approach.
Please share with us your thoughts about disclosure policies.
P.S. It could have been really great if each company was very clear on their disclosure approach such as Netflix did. It makes the lives of security researchers much easier and I believe it can also greatly contribute to the assurance of their users. Transparency and openness is always good.
P.S2. Here are some more interesting links on the topic: