Some thoughts on responsible vulnerability disclosure
It's hard for system owners to keep their systems secure. Servers and devices are scanned, defaced, compromised by the minute, by newbies playing around with github scripts, nation state actors and everything in between. Lucky for us, a growing group of ethical hackers spends time hunting and reporting vulnerabilities.
It appears ‘bug bounty’ surpassed ‘vulnerability assessment’ in search volume and gaining on 'penetration testing.' pic.twitter.com/ftDkIaVMMx
— Jeremiah Grossman (@jeremiahg) 17 August 2016
In this post, I want to shine some light on "responsible vulnerability disclosure". In some communities, this practice is known under a different name: Coordinated Vulnerability Disclosure (CVD). I think it would be a good idea if this practice got a little more publicity and recognition. Although it is slowly becoming more common, we are nowhere near done with defining and promoting responsible disclosure.
So what do I mean by responsible disclosure? My attempt at a definition is as follows:
Responsible disclosure is a form of vulnerability disclosure in which both the reporting ethical hacker and the owner of a vulnerable system try to solve the vulnerability together, by collaborating, sharing knowledge, communicating clearly with each other and adhering to some basic nettiquete rules.
As a security community, we need to keep sharing our experiences, both from the perspective of ethical hackers and vulnerable parties. We need to keep asking ourselves: 'What practices make vulnerability disclosure responsible?'
Where vulnerability disclosure goes wrong
There are plenty of examples where a security researcher has found a vulnerability but the disclosure of the vulnerability doesn't exactly happen in a responsible manner.
Some examples:
- A vulnerability has been found, but it's unclear who the system owner is
- A vulnerability has been found, but it's unclear how to contact the system owner
- The system owner does not respond to messages
- The system owner feels threatened and/or blackmailed by the security researcher
- The systems owner threatens with legal consequences, lawyers or fines
- The security researcher does not allow the systems owner to solve the vulnerability within a reasonable time frame
- The security researcher does not provide enough technical details to reproduce or solve the problem
- The security researcher demands money in exchange for the vulnerability report
What can ethical hackers do?
When you report a vulnerability, give enough information to reproduce the problem. It's also a good idea to list possible ways to mitigate or solve the problem, if these exist. In my opinion, this is both a sign of goodwill and extremely helpful to the person receiving this report.
Do not download or manipulate any data you might have encountered during your investigation. Don't make any changes to the vulnerable system.
Give the system owner enough time to respond. Take into account: office hours, time zones, different communication channels, and the fact that the systems owner is probably human (and not a time-bending superhero).
What can organisations do?
Create a Responsible Disclosure Policy and make sure it is easy to find on your website. Luckily, there are a few good policy examples online that you can use to design your own:
- The National Cyber Security Centre of the Netherlands (NCSC-NL) has published a responsible disclosure guideline in English.
- Floor Terra, a Dutch security researcher, has published an example responsible disclosure policy under a Creative Commons license which anyone can use.
Communicate clearly with people who want to report a vulnerability in one of your systems. Clearly state in your policy what the disclosing party can expect from you. For example: put down a timeframe in which the disclosure can expect a response to their vulnerability disclosure.
Take disclosures seriously. Keep ethical hacker up-to-date during the process. If you publish anything about the vulnerability, be sure to give proper credit where it is due.
My own experiences
I'm lucky that I had only neutral or positive experiences with vulnerability disclosure. In one of the better cases, I got an email of the vulnerable systems owner within hours, thanking me for my efforts. The vulnerability had been fixed.
However, there have been many cases where I could not determine the owner of a system, which makes responsible disclosure so much harder to do right.
Further reading
- In this blogpost, Jeroen van der Ham describes two experiences with responsible disclosure.
- Chris van 't Hof wrote the book Helpful hackers on Responsible Disclosure in the Netherlands, with multiple case studies of ethical hackers.
- Ethical hacker Victor Gevers (@0xdude) regularly tweets and talks about his experiences with responsible disclosure.
- The university of OULU (Finland) maintains an extensive list of academic papers, articles, blogposts and other publications about coordinated vulnerability disclosure.
- It turns out there is a publicly-available ISO standard for vulnerability disclosure: ISO 29147! You can download the 2014 version of the ISO standard for free.
I'd be happy to hear about your experiences with responsible disclosure. Feel free to share your stories in the comments.