Vulnerability disclosure ecosystemResponsible vulnerability disclosure
An information security vulnerability is a flaw or a weakness in a system or application that a malicious attacker could exploit and result in a compromise of the confidentiality, integrity or availability of both software and hardware systems.
We as Security Testers (or pentesters, white hat hackers) find every day new vulnerabilities on our clients software, systems and procedures that if someone discloses them before they patch it could result in a great problem as much for the users as for the company.
Even though identifying and fixing vulnerabilities is crucial and the process of disclosure of vulnerabilities is a part of this ecosystem, performing security tests on systems that we do not have the authorization for, could end on legal issues for the researcher. This risk might be reduced if we apply good practices when we are going to disclose a vulnerability.
To understand how we should disclose vulnerabilities we need to know who are the actors that participate in this process:
Individuals or organizations who find vulnerabilities, they could be researchers, security companies, users, among others.
They develop and maintain information system products that may be vulnerable, this includes both large vendors of software and small open-software development groups.
They manage the vendor’s response to vulnerabilities, they serve as unbiased, independent evaluators of severity and may act as a medium for communicating with the public.
Anyone using a vendor’s product that could be affected by the vulnerability.
Responsible vulnerability disclosure
In order to avoid legal issues and to have a well-meaned resolution of vulnerabilities we need to follow a structured plan, the life cycle of a vulnerability disclosure is as follows:
A security researcher, organization or individual tries to discover new vulnerabilities on a system or application, they test and validate the vulnerability by developing a repeatable process to verify its effects.
Then he/she communicates their discoveries to the vendor of the software, this could be directly to the vendor or through a coordinator (like a CSIRT-Computer Security Incident Response Team).
Later the vendor investigates the vulnerability, and if it gets validated, they start to work in a patch or countermeasure. When finished, they release the new fix and the information about the vulnerability.
Communicating the vulnerability is the most important part of the process. On this step, the maturity of both vendor and researcher are put to the test. Here we can establish some good practices a security tester can use when reporting a vulnerability:
Alert the company
If communication fails, try several times with multiple people from the chain of command
If communication with the vendor fails try with the national CSIRT
If nothing works, procede with the CSIRT with a full disclosure
Each step has a time interval, there are multiple methodologies that advise different waiting times. Some have a 45 day disclosure policy, others 90 days since the notification (we recommend this one). In any case, you need to be flexible, as these times might change. Communication is key on this events.
The vendor should provide status updates about the vulnerability and try to resolve it within the time frame, they could ask to allow a grace period on which the finder and the coordinator won’t release the details of the vulnerability, it depends of the severity on the flaw or the difficulty to resolve it.
When the vulnerability is fixed the vendor must provide credit to the finder, they usually put them on the notes of the patch, some of them have bug bounty rewards where they give money to the researchers.
Vulnerability disclosure is a delicate process, but also a very rewarding one for all parties. Is well known that nowadays there are multiple security vulnerabilities and customer/company information disclosure exploited by malicious attackers. A benign environment where security researchers and vendors could team up together in order to find and fix critical vulnerabilities before they could affect someone is a win-win situation.
Systems Engineer, Security+
"Be formless, shapeless like water" Bruce Lee