In the webinar, Sam examined risk management and disclosure practices for public companies dealing with security weaknesses at the software and application layer. At the end of the webinar Sam opened the floor for questions from the audience. We have highlighted a few of these questions below. Are these American companies only, or are there international companies as well?
The excitement of finding a vulnerability in piece of commercial software can quickly shift to fear and regret when you disclose it to the vendor and find yourself in a conversation with a lawyer questioning your intentions.
This is an unfortunate reality in our line of work, but you can take actions to protect your butt. Telling software maintainers about vulnerabilities we find in their products falls right in line with this idea. However, there is also something else to consider: Unfortunately, vendors often lack the same altruistic outlook.
Some vendors even interpret vulnerability discovery as a direct attack against their product and even their company. There are plenty of organizations out their selling exploits for undisclosed vulnerabilities.
Plus, a seemingly even greater number of criminal or state-sponsored organizations leveraging undisclosed vulnerabilities for corporate espionage and nation-state sponsored attacks. The emergence of bug bounty programs has really helped deter bug hunters away from criminal outlets by offering monetary reward and public recognition.
It has also demystified how disclosure is handled. However, not all vendors offer a bug bounty program, and many times lawyers may not even be aware of the bug bounty programs available in their own organization, which could put you in a sticky situation if you take the wrong approach to disclosure.
General Approaches In general, there are three categories of disclosure: Full disclosure — Full details are released publically as soon as possible, often without vendor involvement Coordinated disclosure — Researcher and vendor work together so that the bug is fixed before the vulnerability is disclosed Private or Non-Disclosure — The vulnerability is released to a small group of people not the vendor or kept private These categories broadly classify disclosure approaches but many actual disclosure policies are unique in that they set time limitations on vendor response, etc.
Established Disclosure Standards To give better perspective, let's look at some existing standards that help guide you in the right direction. This process accurately defines the appropriate roles and steps of a disclosure; however it fails to address publication by the researcher if the vendor fails to respond or causes unreasonable delays.
At most the process states that the vendor must provide specific reasons for not addressing a vulnerability within 30 days of initial notification.
Organization for Internet Safety OIS Guidelines for Security Vulnerability Reporting and Response - The OIS guidelines provide further clarification into the disclosure process, offering more detail and establishing terminology for common elements of a disclosure such as the initial vulnerability report Vulnerability Summary Reportrequest for confirmation Request for confirmation receiptstatus request Request for Statusetc.
As with the Responsible Vulnerability Disclosure Process, the OIS Guidelines also do not define a hard time frame for when the researcher may publicize details of the vulnerability. The OIS also introduces the scenario where an unrelated third party discloses the same vulnerability — at that time the researcher may disclose without the need for a vendor fix.
However, CVD refrains from defining any specific time frames and only permits public disclosure after a vendor resolution or evidence of exploitation is identified. Coordinator Policies Coordinators act on the behalf of a researcher to disclose vulnerabilities to vendors.
They provide a level of protection to the researcher and also take on the role of finding an appropriate vendor contact. This sections discusses gives an overview of coordinators policies. This occurs regardless of if a patch or workaround is released by the vendor.
Exceptions to this policy do exist for critical issues in core components of technology that require a large effort to fix, such as vulnerabilities in standards or core components of an operating system.
It uses the submitted vulnerabilities to generate signatures so that its security products can offer clients early detection and prevention.the impact of vulnerability disclosures on software vendors. We collect data from leading national newspapers and industry sources by searching for reports on published software vulnerabilities.
vulnerability disclosure programs to improve their ability to detect security issues on their accept information about security vulnerabilities and how they may disclose vulnerability reports accessible to all personnel responsible for handling vulnerability disclosures.
A common naming convention for such an account is “security. the security of customers’ information systems leads to a negative impact on the vendor’s market value.
4 A security breach is an incident where an intruder could potentially gain . Vulnerability disclosure is the practice of reporting security flaws in computer software or hardware. Vulnerabilities may be disclosed directly to the parties responsible for the flawed systems.
of network attacks and vulnerability disclosures on search for information security knowledge by ordinary users. We construct a unique dataset from publicly available sources, and use a dynamic. Security companies commonly support vulnerability research and make their policies publically available.
This section provides an overview of a handful: Rapid 7 Vulnerability Disclosure Policy - Rapid7 attempts to contact the vendor via telephone and email then after 15 days, regardless of response, will post its finding to CERT/CC.