arsTechnica published an article about Disclose.io, a site promoting an open source approach to creating standard policies for companies that protect security researchers and encourage responsible disclosure. This is a response to the technology sector’s current state, where every company has a unique policy (or in many cases, no policy) defining a process where researchers can submit their findings and be guaranteed protection from legal action. This policy minefield puts a damper on research and reporting of new vulnerabilities.
A study commissioned by the Center for Democracy & Technology (CDT) found that security researchers are often hesitant to report their findings for fear of legal action. This creates a chilling effect in the research community and harms overall security by preventing responsible handling of vulnerabilities. Think about this: If you’re a white hat hacker, who do you target for research? Company A with a clearly-defined vulnerability disclosure policy or Company B that takes legal action against researchers?
Of the researchers we interviewed, few reported receiving threats related to a disclosure, either veiled or explicit. The researcher reporting the greatest number of threats often serves as a disclosure intermediary for other researchers. This subject reported that many of the researchers for whom the subject had performed a notification or disclosure did not want to notify the company themselves because of the risk they associated with notification. Other interview subjects reported being pressured by companies to keep quiet or to sign non-disclosure agreements (NDAs).
– Page 12 of the “Risk Basis for Security Research” report.
What is responsible disclosure?
Responsible disclosure is one of several models of releasing security vulnerability research. The key differentiator in the Responsible Disclosure model is that the information is made public only after a period of time has passed and a patch has been released to the public. This model allows researchers to contribute to the greater good while companies have time to develop, test and deploy patches to protect customers. Researchers still receive credit and, in many cases, financial rewards. The SANS Institute InfoSec Reading Room has an excellent paper on Responsible Disclosure and touches on other models.
Why we need standards:
Malicious hackers are examining products as intensely as white-hats – perhaps even more so as there is a huge financial incentive to develop and weaponize vulnerabilities. These weaponized exploits are incorporated into attack tools available for free or at a moderate price on the dark web. Malware as a service (MaaS) is an extension of the shift to cloud-oriented and subscription-based models and is making sophisticated attack tools more accessible to would-be attackers.
Companies that don’t create a safe harbor for security researchers are only hurting themselves and their users. Policies that promote research, give legal protection and outline financial incentives attract ethical people. These researchers act like an extension of a company’s own security and QA resources. By protecting and enabling research the company will be made aware of vulnerabilities before they are discovered and used for malicious purposes. This allows companies to protect their users and avoid significant fines and loss of goodwill.
Companies with no safe harbor policy reap none of the benefits of this supplemental security blanket. Ethical researchers will avoid companies that stifle research and target responsible disclosures with legal action. As white hats avoid these companies, black hats will be attracted to products that aren’t being evaluated for vulnerabilities. Ironically, these vulnerabilities will cost the company many times what an incentive-based, safe harbor policy would. Now that GDPR is enforced, a company can face up to a 4% of Annual Global Turnover fine (or €20 Million, whichever is greater) for violating data privacy regulations.
All companies, whether the product is hardware and software or they’re used to support business operations, has a stake in the effort to promote responsible disclosure of vulnerabilities. Vulnerabilities will continue to be discovered and weaponized, putting users’ privacy at risk and costing companies millions of dollars in lost revenue and remediation. Vaccines are so effective because they create herd immunity. Like a vaccine, the more research directed at technology products the safer we will all be.
Mugatu knows a trend when he sees one.