It’s hard for system owners to keep their systems secure. Servers and devices are scanned, defaced, compromised by the minute, by newbies playing around with github scripts, nation state actors and everything in between. Lucky for us, a growing group of ethical hackers spends time hunting and reporting vulnerabilities.
It appears ‘bug bounty’ surpassed ‘vulnerability assessment’ in search volume and gaining on 'penetration testing.' pic.twitter.com/ftDkIaVMMx— Jeremiah Grossman (@jeremiahg) 17 August 2016
In this post, I want to shine some light on “responsible vulnerability disclosure”. In some communities, this practice is known under a different name: Coordinated Vulnerability Disclosure (CVD). I think it would be a good idea if this practice got a little more publicity and recognition. Although it is slowly becoming more common, we are nowhere near done with defining and promoting responsible disclosure.
So what do I mean by responsible disclosure? My attempt at a definition is as follows:
Responsible disclosure is a form of vulnerability disclosure in which both the reporting ethical hacker and the owner of a vulnerable system try to solve the vulnerability together, by collaborating, sharing knowledge, communicating clearly with each other and adhering to some basic nettiquete rules.
As a security community, we need to keep sharing our experiences, both from the perspective of ethical hackers and vulnerable parties. We need to keep asking ourselves: ‘What practices make vulnerability disclosure responsible?’
There are plenty of examples where a security researcher has found a vulnerability but the disclosure of the vulnerability doesn’t exactly happen in a responsible manner.
When you report a vulnerability, give enough information to reproduce the problem. It’s also a good idea to list possible ways to mitigate or solve the problem, if these exist. In my opinion, this is both a sign of goodwill and extremely helpful to the person receiving this report.
Do not download or manipulate any data you might have encountered during your investigation. Don’t make any changes to the vulnerable system.
Give the system owner enough time to respond. Take into account: office hours, time zones, different communication channels, and the fact that the systems owner is probably human (and not a time-bending superhero).
Create a Responsible Disclosure Policy and make sure it is easy to find on your website. Luckily, there are a few good policy examples online that you can use to design your own:
Communicate clearly with people who want to report a vulnerability in one of your systems. Clearly state in your policy what the disclosing party can expect from you. For example: put down a timeframe in which the disclosure can expect a response to their vulnerability disclosure.
Take disclosures seriously. Keep ethical hacker up-to-date during the process. If you publish anything about the vulnerability, be sure to give proper credit where it is due.
I’m lucky that I had only neutral or positive experiences with vulnerability disclosure. In one of the better cases, I got an email of the vulnerable systems owner within hours, thanking me for my efforts. The vulnerability had been fixed.
However, there have been many cases where I could not determine the owner of a system, which makes responsible disclosure so much harder to do right.
I’d be happy to hear about your experiences with responsible disclosure. Feel free to share your stories in the comments.