Thank you to the highly respected infosec professional, Raj, for writing this article on responsible disclosure of exploitable vulnerabilities. This artilce highlights the reasons for being carefull how vulnerabilites are disclosed, adn the ethical approach to this disclosure.
.........
A few days ago, I saw one of the cybersecurity enthusiasts publish a post on how he found a brand-new vulnerability affecting a network security device. No doubt it’s cool when someone identifies a bug/security flow, and many followers congratulated him on his findings. It turned out the person found the flaw then within a few hours posted it straight to social media.
Finding a security flaw/vulnerability is a fantastic thing. However, you must do a responsible disclosure too.
There are three ways of doing a disclosure:
Private disclosure
In the private disclosure model, the vulnerability is reported privately to the organisation. The organisation may choose to publish the details of the vulnerabilities, but this is done at the discretion of the organisation, not the researcher, meaning that many vulnerabilities may never be made public. The majority of bug bounty programs require that the researcher follows this model.
Public (or Full) Disclosure
The full details of the vulnerability are made public as soon as they are identified. This means that the full details (sometimes including exploit code) are available to attackers, often before a patch is available. The full disclosure approach is primarily used in response or organisations ignoring reported vulnerabilities in order to put pressure on them to develop and publish a fix.
Responsible or coordinated disclosure
Responsible disclosure attempts to find a reasonable middle ground between these two approaches. With responsible disclosure, the initial report is made privately, but with the full details being published once a patch has been made available (sometimes with a delay to allow more time for the patches to be installed).
In many cases, the researcher also provides a deadline for the organisation to respond to the report or to provide a patch. If this deadline is not met, then the researcher may adopt the full disclosure approach and publish the full details.
It’s clear that the responsible disclosure approach is designed to ensure the security researched / enthusiasts identify security flows/vulnerabilities where product owners/vendors fix them with a reasonable time. Also, this system enforces time limits on vendors to act; if not, the researcher can go for full disclosure.
So why would people go with the full disclosure?
- Lack of understanding of Vuleneraility disclosure ethics.
- To gain public attention (to the person)
- Unavailability of a Proper vulnerability disclosure policy by the product vendor
Why you shouldn’t choose public disclosure as the first option
- The intention of finding a vulnerability is to fix them, so if we do a full disclosure in the first place, the attacker could easily exploit it or weaponised them and cause harm against general public systems.
- Someone else already did a responsible disclosure, and the product owner/vendor is already working on a fix (This time known as disclosure embargo).
- You may be violating the software use agreement and could face legal challenges.
- You may be breaking the ethics of cybersecurity. This will also may severely be impacting your career.
Suppose you ever found a vulnerability/security flow. In that case, the best thing you can do is do a responsible vulnerability disclosure, so you play your part in the fight against cybercriminals. If you are unsure, get advice from a cybersecurity professional.
Further Reading
ASD ISMS guidelines on Vulnerability disclosure program - https://www.cyber.gov.au/acsc/
International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 29147:2018, Information technology – Security techniques – Vulnerability disclosure, at https://www.iso.org/standard/
CISA Coordinated Vulnerability Disclosure (CVD) Process - https://www.cisa.gov/