COMMUNITY BLOG - Rajitha Udayanga - Responsible Disclosure
Updated: Dec 28, 2021
The community blog posts are written by InfoSec professionals from diverse sectors who have kindly provided articles for free to support the demystifying of cyber.
Author: Rajitha Udayanga
A few days ago, I saw a cybersecurity enthusiast publish a post on how he found a brand-new vulnerability impacting a network security device. No doubt it’s cool when someone identifies a bug/security flaw, and many followers congratulated him on his findings. It turned out the person found the flaw then within a few hours posted it straight to social media.
Finding a security flaw/vulnerability is a fantastic thing. However, you must do a responsible disclosure too.
There are three ways of doing a disclosure:
In the private disclosure model, the vulnerability is reported privately to the organisation. The organisation may choose to publish the details of the vulnerabilities, but this is done at the discretion of the organisation, not the researcher, meaning that many vulnerabilities may never be made public. The majority of bug bounty programmes require that the researcher follows this model.
Public (or Full) Disclosure
The full details of the vulnerability are made public as soon as they are identified. This means that the full details (sometimes including exploit code) are available to attackers, often before a patch is available. The full disclosure approach is primarily used in response to organisations ignoring reported vulnerabilities in order to put pressure on them to develop and publish a fix.
Responsible or coordinated disclosure
Responsible disclosure attempts to find a reasonable middle ground between these two approaches. With responsible disclosure, the initial report is made privately, but with the full details being published once a patch has been made available (sometimes with a delay to allow more time for the patches to be installed). In many cases, the researcher also provides a deadline for the organisation to respond to the report or to provide a patch. If this deadline is not met, then the researcher may adopt the full disclosure approach and publish the full details.
It’s clear that the responsible disclosure approach is designed to ensure the security researched/enthusiasts identify security flows/vulnerabilities where product owners/vendors fix them within a reasonable time. Also, this system enforces time limits on vendors to act; if not, the researcher can go for full disclosure.
So why would people go with the full disclosure?
- Lack of understanding of disclosure ethics.
- To gain public attention
- Unavailability of a Proper vulnerability disclosure policy by the product vendor
Why you shouldn’t choose public disclosure as the first option
- The intention of finding a vulnerability is to fix it, so if we do a full disclosure in the first place, the attacker could easily exploit or weaponise it and cause harm against general public systems.
- Someone else already did a responsible disclosure, and the product owner/vendor is already working on a fix (known as disclosure embargo).
- You may be violating the software use agreement and could face legal challenges.
- You may be breaking the ethics of cybersecurity. This will also may severely be impacting your career.
Suppose you ever found a vulnerability/security flow. In that case, the best thing you can do is do a responsible vulnerability disclosure, so you play your part in the fight against cybercriminals. If you are unsure, get advice from a cybersecurity professional.
ASD ISMS guidelines on Vulnerability disclosure program - https://www.cyber.gov.au/acsc/view-all-content/guidance/application-development
International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 29147:2018, Information technology – Security techniques – Vulnerability disclosure, at https://www.iso.org/standard/72311.html
CISA Coordinated Vulnerability Disclosure (CVD) Process - https://www.cisa.gov/coordinated-vulnerability-disclosure-process
COMMUNITY BLOG - guest author Rajitha Udayanga - 1 July 2021