Glass half-full: Vulnerability reporting and handling in the age of innovation

In an era of unprecedented reliance on advanced, connected technologies, the opportunities created by innovation are boundless, delivering increases in convenience, productivity, and even safety. The ability to take advantage of this [nearly] limitless world of possibility relies on one critical factor: trust. We assume that technology will only perform as desired. This, however, is unrealistic. 

Technology, much like those that make it, is not perfect: it always has the potential to perform in unexpected or unintended ways. When those imperfections expose users to risk, we call it a ‘vulnerability’. All technology will include some kind of vulnerability or opportunity for misconfiguration or glitch. This is pragmatism, not pessimism, and the key to addressing it is identifying vulnerabilities and addressing them quickly. We call the process of third parties finding and reporting these issues ‘vulnerability disclosure’, and the process of technology providers addressing them, ‘vulnerability handling’. 

The Current Landscape 

These are not new concepts. Over the past two decades, a great deal of work has gone in to defining best practices for both sets of activities, even resulting in guidance from the International Organization for Standardization (ISO/IEC 29147 and ISO/IEC 30111). Yet, adoption of these practices seems to have been somewhat delayed among the two primary groups involved: security researchers – those that find and report vulnerabilities – and technology providers who own the development and maintenance of the technology, and thus the ‘fix’ for any vulnerabilities. Delayed adoption is concerning given our increasing reliance on technology, particularly in areas that relate to physical safety, for example transportation, healthcare, critical infrastructure, and home security. 

Mindful of the increasing importance and complexity of vulnerability disclosure and handling, the National Telecommunications and Information Administration (NTIA) ran a ‘multi-stakeholder process’ on the topic last year. Part of the US Department of Commerce, NTIA’s remit is to support a free, open, and trustworthy internet, and one way it does so is by identifying potential emerging challenges and convening relevant parties to collaborate on potential solutions. While NTIA is a US entity, it welcomes anyone to participate in their multi-stakeholder processes.   

My goal in participating was to investigate the reality of what’s happening today with vulnerability disclosure and handling, and then to collaborate with other interested parties on how we can drive further adoption of recommended practices. Understanding the former is critical to being able to tackle the latter. Fortunately, there were 15-20 other people also interested in this area and willing to donate their time, and so we formed the “Awareness and Adoption Working Group” and set about to gather insight into current state of play.    

Understanding Community Concerns 

The Awareness and Adoption Working Group launched two internet-based surveys; one aimed at security researchers, and one for technology providers and operators. Issuing internet surveys is not ideal as it intrinsically results in some level of selection bias in respondents; however, it was the most practical way to hear directly from large numbers of target respondents. To reach as broad a range of respondents as possible, we proactively reached out to industry groups in a variety of sectors, including emerging areas where cybersecurity and safety are starting to intersect, such as the automotive and medical device industries. 

We received 414 responses to the researcher survey and 285 for the technology provider and operator survey. Key findings from each survey are summarized below. 

Researcher survey 

 -The vast majority of researchers (92%) generally engage in some form of coordinated vulnerability disclosure.  

-When they have gone a different route (e.g., public disclosure) it has generally been because of frustrated expectations, mostly around communication.  

 -The threat of legal action was cited by 60% of researchers as a reason they might not work with a vendor to disclose.  

-Only 15% of researchers expected a bounty in return for disclosure, but 70% expected regular communication about the bug.  

Vendor survey

-Vendor responses were generally separable into ‘more mature’ and ‘less mature’ categories. Most of the more mature vendors (between 60 and 80%) used all the processes described in the survey.  

-Most mature technology providers and operators (76%) look internally to develop vulnerability handling procedures, with smaller proportions looking at their peers or at international standards for guidance.  

-Mature vendors reported that a sense of corporate responsibility or the desires of their customers were the reasons they had a disclosure policy 

-Only one in three surveyed companies considered and/or required suppliers to have their own vulnerability handling procedures.  

You can see more details on the responses and conclusions in the full survey report.  

Driving Awareness and Adoption 

In the past few years, we’ve seen significant evolutions in the vulnerability disclosure landscape – for example, a number of US governmental offices have acknowledged the importance of vulnerability disclosure and handling, even creating a legal exemption to support security research. We’ve seen notable names in defence, aviation, automotive, and medical device manufacturing and operating all launch high profile vulnerability disclosure and handling programs. These steps are indicative of an increased level of awareness and appreciation of the value of vulnerability disclosure, and each paves the way for yet more widespread adoption of best practices. 

The survey data reflects this: many of the respondents indicated that they clearly understand and appreciate the benefits of a coordinated approach to vulnerability disclosure and handling. Importantly, both researchers and more mature technology providers indicated a willingness to invest time and resources into collaborating so they can create more positive outcomes for technology users.   

Yet, there is still a way to go. The data also indicates that to some extent, there are still perception and communication challenges between researchers and technology providers/operators, the most worrying of which is that 60% of researchers indicated concern over legal threats. We would like to see more effort on improving communication between researchers and vendors, supporting a more coordinated approach to disclosure that better informs and protects the technology user. Removing legal barriers, whether through changes in law or clear vulnerability handling policies that indemnify researchers will also encourage researchers to take a coordinated approach, and will help build trust.

Jen Ellis, vice president of public and community affairs at Rapid7