Some thoughts on responsible vulnerability disclosure

April 09, 2017 — Published in Security

It’s hard for system owners to keep their systems secure. Servers and devices are scanned, defaced, compromised by the minute, by newbies playing around with github scripts, nation state actors and everything in between. Lucky for us, a growing group of ethical hackers spends time hunting and reporting vulnerabilities.

In this post, I want to shine some light on “responsible vulnerability disclosure”. In some communities, this practice is known under a different name: Coordinated Vulnerability Disclosure (CVD). I think it would be a good idea if this practice got a little more publicity and recognition. Although it is slowly becoming more common, we are nowhere near done with defining and promoting responsible disclosure.

So what do I mean by responsible disclosure? My attempt at a definition is as follows:

Responsible disclosure is a form of vulnerability disclosure in which both the reporting ethical hacker and the owner of a vulnerable system try to solve the vulnerability together, by collaborating, sharing knowledge, communicating clearly with each other and adhering to some basic nettiquete rules.

As a security community, we need to keep sharing our experiences, both from the perspective of ethical hackers and vulnerable parties. We need to keep asking ourselves: ‘What practices make vulnerability disclosure responsible?’

Where vulnerability disclosure goes wrong

There are plenty of examples where a security researcher has found a vulnerability but the disclosure of the vulnerability doesn’t exactly happen in a responsible manner.

Some examples:

  • A vulnerability has been found, but it’s unclear who the system owner is
  • A vulnerability has been found, but it’s unclear how to contact the system owner
  • The system owner does not respond to messages
  • The system owner feels threatened and/or blackmailed by the security researcher
  • The systems owner threatens with legal consequences, lawyers or fines
  • The security researcher does not allow the systems owner to solve the vulnerability within a reasonable time frame
  • The security researcher does not provide enough technical details to reproduce or solve the problem
  • The security researcher demands money in exchange for the vulnerability report

What can ethical hackers do?

When you report a vulnerability, give enough information to reproduce the problem. It’s also a good idea to list possible ways to mitigate or solve the problem, if these exist. In my opinion, this is both a sign of goodwill and extremely helpful to the person receiving this report.

Do not download or manipulate any data you might have encountered during your investigation. Don’t make any changes to the vulnerable system.

Give the system owner enough time to respond. Take into account: office hours, time zones, different communication channels, and the fact that the systems owner is probably human (and not a time-bending superhero).

What can organisations do?

Create a Responsible Disclosure Policy and make sure it is easy to find on your website. Luckily, there are a few good policy examples online that you can use to design your own:

Communicate clearly with people who want to report a vulnerability in one of your systems. Clearly state in your policy what the disclosing party can expect from you. For example: put down a timeframe in which the disclosure can expect a response to their vulnerability disclosure.

Take disclosures seriously. Keep ethical hacker up-to-date during the process. If you publish anything about the vulnerability, be sure to give proper credit where it is due.

My own experiences

I’m lucky that I had only neutral or positive experiences with vulnerability disclosure. In one of the better cases, I got an email of the vulnerable systems owner within hours, thanking me for my efforts. The vulnerability had been fixed.

However, there have been many cases where I could not determine the owner of a system, which makes responsible disclosure so much harder to do right.

Further reading

I’d be happy to hear about your experiences with responsible disclosure. Feel free to share your stories in the comments.