Home » Security Bloggers Network » Vulnerability Disclosure Ecosystem

Vulnerability Disclosure Ecosystem

by Jonathan Armas on October 24, 2018

An information security vulnerability is a flaw or a weakness in a
system or application that a malicious attacker could exploit, and could
result in a compromise of the confidentiality, integrity or availability
of both software and hardware systems.

We,
as Security Testers
(pentesters
or white hat hackers),
every day find new vulnerabilities in our clients’ software,
systems and procedures.
If someone discloses these,
before they’re fixed,
the result could be as great a problem for the users
as it is for the company.

Identifying and fixing vulnerabilities is crucial, and the process of
disclosure of vulnerabilities is a part of this ecosystem. However,
performing security tests on systems that we do not have the
authorization for, could result in legal issues for the researcher. This
risk might be reduced if we apply good practices when we are going to
disclose a vulnerability.

To understand how we should disclose vulnerabilities, we need to know
who the actors are who participate in this process:

Discoverers

Individuals or organizations who find vulnerabilities. They could be
researchers, security companies, users, as well as others.
Vendors

They develop and maintain information system products that may be
vulnerable. This includes both large vendors of software and small
open-software development groups.
Coordinators

They manage the vendor’s response to vulnerabilities. They serve as
unbiased, independent evaluators of severity and may act as an
intermediary for communicating with the public.
Users

Anyone using a vendor’s product that could be affected by the
vulnerability.

Responsible vulnerability disclosure

To avoid legal issues and to have a successful resolution of the
vulnerabilities, we need to follow a structured plan. The life cycle of
a vulnerability disclosure is as follows:

Vulnerability Cycle

Figure 1. Vulnerability Cycle

A security researcher, organization or individual tries to find new
vulnerabilities on a system or application. They test and validate the
vulnerability by developing a repeatable process to verify its effects.

Then, they communicate what they have found to the software vendor. This
could be direct communication to the vendor, or through a coordinator
like a CSIRT-Computer Security Incident Response Team.

Later, the vendor investigates the vulnerability. If it’s validated,
they start to work in a patch or countermeasure. When finished, they
release the new fix and the information about the vulnerability.

Reporting the vulnerability is the most important part of the process.
In this step, the expertise of both vendor and researcher are put to the
test. Here, we can establish some good practices a security tester can
use when reporting a vulnerability:

Alert the company
If alerting the company fails, try contacting multiple people from
the company’s chain of command, several different times.
If altering the vendor fails, try contacting the national CSIRT.
If all else fails, contact the CSIRT with a full disclosure.

Each step has a time interval. There are multiple methodologies that
have different waiting times. Some have a 45-day disclosure policy,
others 90 days since the notification, which is what we recommend. In
any case, you need to be flexible, as these times might change.
Communication is key when managing these events.

The vendor should provide status updates about the vulnerability and try
to resolve it within the stated timeframe. They can ask for a grace
period during which the finder and the coordinator won’t release the
details of the vulnerability; it all depends on the severity of the flaw
or the difficulty involved with resolving it.

When the vulnerability is fixed, the vendor has to credit the finder.
Usually, this is done by putting the finder on the patch notes. Some
vendors have bug bounty rewards where they give money to the finders.

Vulnerability disclosure is a delicate process, but also a very
rewarding one for all parties. It is well known that nowadays there are
multiple security vulnerabilities and customer/company information
disclosure can be exploited by malicious attackers. A benign environment
where security researchers and vendors can team-up together to find and
fix critical vulnerabilities before they can affect someone is a win-win
situation.

Resources

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jonathan Armas. Read the original post at: https://fluidattacks.com/blog/vulnerability-disclosure/

October 24, 2018October 24, 2018 Jonathan Armas

Vulnerability Disclosure Ecosystem

Responsible vulnerability disclosure

Resources

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Types of Board Game’