For a while now, many companies and organisations have been trying to find a solution to counter the open bug bounty or to prevent the full disclosure of a security breach publicly. You may have already heard of the concept “Responsible Disclosure” which, takes the concept of “Full Disclosure” except this time, the discovery of the defect leaves time for the publisher to publish a patch. This process does not always run smoothly, as researchers usually want to warn the community of their discovery as quickly as possible and publishers often take a long time to propose a patch. During this period the impacted system remains at the mercy of potential attackers.
Many organisations support the concept of “Coordinated Vulnerability Disclosure” (CVD) to promote and strengthen cooperation between various cyber security actors, who have a common goal: to make the Internet safer. CVD is a process aimed to reducing risk and ultimately mitigating the potential damage caused by a vulnerability within a system.
Coordinated Vulnerability Disclosure is therefore the process of:
- gathering information from vulnerability researchers, zGathering information from vulnerability researchers,
- Coordinating the information shared between the involved parties (organisations, researchers, etc.) and,
- Disclosing the vulnerabilities existence (software or even hardware) and the mitigations to various participants, including the general public.
This practice significantly increases the chances of success of any vulnerability response process.
The ISO/IEC 29174 standard provides the advice as to how organisations should respond to security vulnerability reports. It also sets out how to receive vulnerability reports from researchers and how to process those reports to aid in fixing the issue.
This process includes actions such as reporting, coordinating and publishing information about a vulnerability, its mitigation and ideally, its resolution.
- Reducing the risks and therefore, the damages
- Believing in good deeds and good Samaritans
- Avoiding Unpredictability
- Stimulating cooperation
- Following the ethics
- Learning from the OODA loop
- Considering CVD as a leading process between the “best” and the “worst”
- Ensuring that the vulnerabilities identified are taken into account
- Minimising the vulnerability risk
- Providing the users with sufficient information to assess the vulnerabilities of their systems
Coordinated Vulnerability Disclosure commonly starts with the vulnerability detection and, ends by the fixes deployment or moderation.
As a result, several actors are involved in the CVD process:
- Security Investigator – the person or organisation that identifies the vulnerability.
- Reporter – the person or organisation that notifies the vulnerability provider.
- Supplier – the person or organisation that created or maintains the vulnerable product.
- System Administrator – the person or organisation that needs to deploy a patch or take other corrective actions.
- Coordinator – person or organisation that facilitates the coordinated intervention process.
The following steps are required in the CVD process:
- Discovery – Someone discovers a vulnerability in a product.
- Report – The product vendor or a coordinating third party receives a vulnerability report.
- Qualification – The recipient of a report, validate it, to ensure its accuracy before prioritising it for further action.
- Remediation – A remediation plan (ideally a software patch) is developed and tested.
- Public Awareness – Vulnerability and corrective actions are revealed to the public.
- Deployment – Corrective actions are applied to the affected systems.
The reporting phase is important because it requires the creation of secure channels to prevent the transmitted information from being captured by a third party.
This process however has difficulties.
- No supplier contact available – This can happen because a contact could not be found or because the contact is not approachable.
- Termination of Cooperation – Participants in the CVD process may have other priorities that attract their attention.
- Information leaks – Whether intentional or not, information for a small group of actors can be shared with others who are not involved in the CVD process.
- Independent Discovery – Any vulnerability that can be found by one individual, can be found by another, and not everyone will tell you about it.
- Active Exploitation – Evidence that a vulnerability is actively exploited by rivals requires accelerating the CVD process to reduce user exposure to risk.
- Communication is fading – CVD is a process of coordinating human activities. As such, its success depends on the relationships quality between participants.
- Marketing – In some cases, vulnerabilities can be used as a marketing tool. This is not always advantageous to the smooth running of the CVD.
Vulnerability disclosure practices are no longer limited to web applications. The Internet of Things and the range of SCADA systems, connected health devices, CCTV, connected cars, drones, even toys etc. have become so dependent on software and the Internet that they are increasing the exposure perimeter and, as a result, will inevitably be exposed to new attacks.
Coordinated Vulnerability Disclosure is a major ally in bringing together the largest number of cyberspace actors and kick-starting the exchange of knowledge, to ensure systems are designed with security built-in from the beginning.
By encouraging cooperation, the CVD will enable all cybersecurity players not only to defend their knowledge and information assets, but also to fight more effectively against the black market and / or the resale of zero day vulnerabilities.