Establishing Best Practices For Effective Responsible Disclosure Channels

Establishing best practices for effective responsible disclosure channels has never been more vital.

Why? Because 2024 is on record pace to have the most CVEs published ever, making a well orchestrated patch management cycle critical for maintaining secure operations amidst the chaos. The importance of effective communication regarding security information is also important to fill in the security gaps that an organization's own IT security team may overlook. Establishing best practices for responsible disclosure channels is paramount to safeguarding business critical infrastructure and sensitive data against common threats such as ransomware, and protecting brand reputation. 

This article delves into the significance of providing standard communication channels for ingesting security information, explores key drivers motivating organizations to prioritize transparency and accountability, and provides insights into compliance requirements and industry standards shaping responsible disclosure practices. For those looking for a more broad understanding of responsible disclosure you can read our previous blog post covering this topic.  

By understanding some standard security communication channels organization's can forward their own resilience against emerging threats and foster trust with stakeholders.

Why Do Organizations Need to Communicate Security Information?

Essentially, effective communication of security information helps organizations protect their assets, data, and even their reputation. There are several key reasons why organizations need to prioritize communication regarding security:

• Risk Mitigation: Timely and accurate communication of security information allows organizations to mitigate risks effectively. By ensuring that the organization can receive responsible disclosure of security information about their products, services, and infrastructure, they are better able to promptly notify stakeholders about security vulnerabilities, and respond to potential threats with measures to remediate them, minimize potential damages, and prevent future exploitation of vulnerabilities. Also, by patching any discovered vulnerabilities early, organizations can avoid the legal disclosure requirements such as those imposed by the US SEC, the Federal Communications Commission's (FCC) FCC-23-111A1, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

• Transparency Is Brand Protection: Communicating security information demonstrates transparency and accountability, building trust with stakeholders such as customers, partners, and regulatory bodies. Failure to communicate security information transparently can damage an organization's reputation and brand integrity. Effective communication demonstrates a commitment to security and helps reassure customers, investors, and partners of the organization's dedication to protecting their interests

• Compliance Requirements: Many industries and regulatory frameworks mandate the communication of security information to ensure compliance with legal and regulatory obligations. Failure to communicate security information adequately can result in fines, penalties, and reputational damage. Some examples in 2024 include GDPR, HIPAA, SOC-2, PCI-DSS, and the EU's  soon to be adopted NIS-2

• Learning From The Security Community: Engaging with the security community through communication channels fosters collaboration and knowledge sharing. By actively participating in responsible disclosure programs and engaging with security researchers, organizations can leverage external expertise to identify and address security vulnerabilities more effectively

Standard Channels For Responsible Disclosure

Standard security information channels serve as vital conduits for receiving and managing security-related information, enabling organizations to promptly identify and address potential vulnerabilities. By implementing standardized communication channels, such as designated email addresses, web forms, or bug bounty platforms, organizations can streamline the process of receiving security reports from external parties, including security researchers, ethical hackers, and concerned users.

Here we will explain SECURITY.md and security.txt files, and the standard SECURITY@domain.com email address and their differences:

What is a SECURITY.md File?

A SECURITY.md file is a markdown file typically included in software repositories to outline the security policies and procedures for that particular project. It serves as a centralized location for developers, contributors, and users to understand how security vulnerabilities are handled within the project. The SECURITY.md file should optimally be placed in the root folder of a public or private software repository allowing developers to easily access it and identify the proper channels for disclosing security information. 

The contents of a SECURITY.md file often include:

• Reporting Guidelines: Instructions on how to report security vulnerabilities or concerns, including contact information for the project maintainers or security team

• Vulnerability Disclosure Policy: Information on how vulnerabilities are triaged, evaluated, and addressed, including timelines for response and resolution

• Supported Versions: Details about which versions of the software are currently supported and eligible for security updates, as well as any end-of-life dates for older versions

• Security Advisories: Links to past security advisories or bulletins issued for the project, along with relevant details about the vulnerabilities and their resolutions

• Security Best Practices: Recommendations or guidelines for developers and users to follow to enhance the security of their deployments or contributions to the project

By providing a SECURITY.md file, software projects demonstrate their commitment to security and transparency, helping to build trust with users and encouraging responsible disclosure of vulnerabilities by security researchers. For reference, before designing a SECURITY.md file, you can check out some examples from popular public repositories including WordPress, the Bitwarden password manager, and the Eclipse IDE.

What is a security.txt File?

security.txt files (RFC9116) should ideally be placed in the root directory of a website or web application, making it easily discoverable by users and security researchers who may come across security vulnerabilities during their testing or browsing activities. Similar to a SECURITY.md file, the security.txt file relays a standard set of security information to ensure the secure use of a web-application, and provides further steps for security researchers wanting to disclose any weaknesses or exploitable vulnerabilities in a website. 

Standard sections of a security.txt file following RFC9116 include:

• Acknowledgments: Information about how security researchers will be acknowledged for responsibly reporting vulnerabilities, such as being listed on a "Hall of Fame" page.

• Canonical: Specifies the URL where the security.txt file can be found for verification purposes.

• Contact: Provides contact information, such as email addresses or URLs, for reporting security vulnerabilities.

• Encryption: Indicates whether encryption is used for communications related to security issues.

• Expires: Specifies the date after which the information in the security.txt file is considered outdated and should no longer be relied upon.

• Hiring: Information about any job openings related to security roles within the organization.

• Policy: Outlines the organization's vulnerability disclosure policy, including instructions on how to report vulnerabilities, preferred communication methods, and response times.

For reference, before designing a SECURITY.md file, you can check out some examples from popular public repositories including WordPress, the Bitwarden password manager, and CISA.gov.

Implementing a SECURITY@domain Email Address

According to Section 4 of the "MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS" Standard [RFC2142], utilizing the SECURITY@domain email address for addressing security matters is a best-practice for allowing security researchers to quickly contact the security team members that support a company, app, or domain. 

By configuring and monitoring the standard SECURITY@domain email address, organizations can ensure that security related information can flow into the proper team members, especially when a SECURITY.md file within a software repository, or security.txt file for websites is not a feasible option. 

Conclusion

The number of published Common Vulnerabilities and Exposures (CVEs) is on the rise. Effective communication of security information is paramount to ensure your organization can leverage security related information from the community and at the same time, protect your reputation. Establishing best practices for responsible disclosure channels becomes crucial to safeguarding assets, data, and reputation.

By understanding and implementing standard security communication channels, organizations can bolster their resilience against emerging threats and foster trust with stakeholders. Whether through the establishment of SECURITY.md files, security.txt files, and the implementation of standardized contact methods such as the SECURITY@domain email address, organizations can demonstrate their commitment to security and transparency while encouraging responsible disclosure of vulnerabilities.

Looking for more cybersecurity updates and news? Sign up for our informational zero-spam newsletter.