Is Your Organization Prepared For Vulnerability Disclosure?

Is your organization prepared for vulnerability disclosure?

Cybersecurity is top of mind for many who manage businesses in 2023. Organizations are posting record financial losses due to cyber breaches and need increasingly stronger assurances that their external partners are proactive in the pursuit of addressing software vulnerabilities when they arise. It's more critical than ever that software developers and vendors are prepared to handle vulnerability disclosures submitted from outsiders effectively (often security researchers or customers) who have discovered a weakness that attackers can exploit. 

Organizations need internal channels to facilitate the reporting of security flaws and need to act on them responsibly.  The EU's proposed Cyber Resiliency Act (CRA) may soon impose a formal responsibility to do so. Now is the appropriate time to evaluate whether your organization is prepared to effectively manage incoming vulnerability disclosures both internally and publicly on social media. 

This article will delve into what to do - and what not to do when it comes to handling vulnerability disclosures and review industry standards and best practices your organization can employ to ensure you are on the right track to action on vulnerability disclosures.

What is Vulnerability Disclosure?

Vulnerability disclosure is the process of reporting exploitable security gaps in computer software, hardware, or online services. We should distinguish between this vulnerability disclosure process from mandatory breach disclosure (aka breach reporting). Vulnerability disclosure is the event of a security researcher or customer providing information about a product or online service that has a security gap.  This is different from mandatory breach disclosure which is a responsibility for organizations to disclose when hackers compromise their IT infrastructure and steal data.

Security researchers may disclose vulnerabilities directly to the parties responsible for the products that contain the flaws, known as "responsible disclosure", or they may choose to simply publish the information to the cybersecurity community via social media without directly contacting the product owner.

Who Are The Stakeholders of Vulnerability Disclosure?

Each stakeholder in a vulnerability disclosure scenario has unique motivations and risks. Sometimes these differences cause friction that can be avoided. Understanding the interests of each group can help organizations streamline a vulnerability disclosure event, take appropriate action, and avoid increased reputational fallout.

• Security researchers: While other stakeholders often envision a perfect world where security researchers would ideally only conduct legal and authorized testing, the reality is not so. Dealing with a security researcher who may have crossed these lines (also known as "Gray Hat" hackers) may stir negative emotions in a company's management. However, each disclosure needs to be handled with professionalism.  On the bright side, it's likely better than falling prey to a black hat hacker. Researchers are expected to make reasonable efforts to contact the security team and provide sufficient details to ensure their findings can be verified. From the other side of the coin, it is important for researchers to understand that demanding payment is unlikely to result in a reward unless the finding is within a formal bug bounty program

• Owners of the vulnerable systems: Wishing that hackers didn't exist won't make the problem go away.  Organizations need to be both emotionally and operationally prepared to encounter security researchers that operate with a legal gray area. Not all security researchers will follow the guidelines of responsible disclosure. The bottom line is that vendors have a responsibility to patch security gaps in their products.  Organizations need to prepare for the scenario that a vulnerability has been disclosed publicly. If customer systems are compromised it will have an impact on their reputation, legal responsibility, and ultimately their bottom line

• Users of the vulnerable products: May prefer that the systems they use are patched as quickly as possible

Best Practices For Vulnerability Disclosure

Ensuring that software or hardware vendors can address vulnerabilities before bad actors can find and exploit them is crucial. Identifying such flaws is so important that bug bounties, or vulnerability rewards programs, which reward researchers for finding flaws, are often initiated along with internal code audits and penetration tests as part of an organization's vulnerability management strategy.

Here are best practices to help your organization prepare for disclosures:

• Have a Formal Vulnerability Disclosure Policy: This will give security researchers some assurance and expectation that your organization is ready and willing to communicate with them.  The one recommended by CISA is a good place to start. Place your security vulnerability reporting policy in a visible location, such as on your website's legal page, so that potential reporters can easily find it

• Reward Compliant Researchers: If a security researcher is following the guidelines of responsible disclosure, consider their work to be authorized. Assure reporters that you will not take legal action against them or involve law enforcement if they adhere to responsible reporting guidelines

• Provide a Dedicated Reporting Channel: Create a dedicated email address or reporting channel specifically for security vulnerability reports. Make it easy for reporters to reach out to your organization. Another option is to create a security.txt file for your website with the relevant information with contact information

• Be Emotionally Prepared:  Grey Hat hackers may have crossed some lines you wish they hadn't. However, product owners need to handle all disclosures with professionalism.  Encourage a positive and cooperative approach to addressing security vulnerabilities. Doing so will encourage responsible disclosure in the future and benefit all stakeholders

• Offer Secure Communication Options: Provide the option for reporters to encrypt their communications when submitting vulnerability reports. This helps protect sensitive information and builds trust

• Commit to Investigation and Resolution: Make a commitment to thoroughly investigate legitimate vulnerability reports and take steps to correct any identified vulnerabilities promptly. Specify a timeframe within which you will acknowledge and respond to vulnerability reports. This helps manage expectations and demonstrates your commitment to addressing security concerns promptly

Summary 

Handling vulnerability disclosures is crucial for organizations in the face of increasing cybersecurity threats. Security researchers and customers may discover weaknesses that could be exploited by malicious actors.

Changes such as the EU's proposed Cyber Resiliency Act highlight the direction of increased responsibility for technology product vendors and the importance of addressing vulnerability disclosures responsibly. By being prepared and implementing policies and best practices, organizations can prevent mishaps, build trust with security researchers, address vulnerabilities effectively, and enhance their overall cybersecurity posture.

Ready to test if your organization is ready for vulnerability disclosure? Reach out to our team today for your free, zero-obligation quote.