Best Practices for Vulnerability Disclosure Marketing
When a data breach occurs, here’s how to handle the vulnerability disclosure to the public via marketing methods
It’s no secret that data breaches are on the rise, with one occurring every 39 seconds. Vendors are particularly vulnerable to cyberattacks, and more organizations are planning ahead and taking preventative cybersecurity measures to protect their businesses from a security breach. No matter how large or small an organization is, how a company reacts to a data breach is just as important as the steps they take to prevent them.
Vulnerability disclosure marketing is the practice of using marketing strategies to make the public aware of security vulnerabilities that have been disclosed.
At WhiteHat Security, we recently disclosed a vulnerability by working with our research partner Vertical Structure. Together, our companies worked together to identify and verify a vulnerability in omega and Lenovo EMC NAS products. Initial estimates showed that the vulnerability was exposing terabytes of data, through external hard drives that would leak information through specially crafted requests via an API but not through their web interface. WhiteHat Security and Vertical Structure then worked to notify and work with the vendor to quickly and effectively remediate the issue and protect customers.
Vulnerability Disclosure Marketing: What To Do
Based on these experiences, here are top tips for vulnerability disclosure marketing and how to make the public aware through marketing channels in a safe and responsible way.
Discuss Internally and Review the Impacted Company’s Policy
Vulnerability disclosure is an essential tool in any cybersecurity program. With a program in place, organizations are able to demonstrate their commitment to protecting their digital assets and customers, in addition to responding and remediating known risks faster. A vulnerability disclosure program opens a line of communication to external researchers and customers so that remediation is prioritized in the face of a vulnerability.
At WhiteHat Security, we coordinated with Vertical Structure before informing Lenovo. First, we analyzed Lenovo’s vulnerability disclosure policy, which was clearly indicated on its website and contained contact information.
Once the vulnerability was verified to be true, we determined internally that the next step was to reach out to Lenovo directly per the company’s disclosure guidelines and make them aware of the vulnerability. It’s vital to communicate within your organization internally of the vulnerability disclosure and determine the best path forward to make the impacted company and the public aware.
Communicate With Affected Company
The next step in Vertical Structure and WhiteHat Security’s process was alerting Lenovo of the problem. Once Lenovo confirmed there was an issue, the company quickly took action, after agreeing to a timeline to coordinate publicity efforts:
- In discovering this vulnerability, Lenovo pulled three versions of its software out of retirement and brought them back so its customers could continue to utilize their technologies while the company patched the vulnerability.
- Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates.
Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations that experience similar challenges. This is where vulnerability disclosure policies are key and essential to ensuring a smooth process for notifying parties and affect companies.
Marketing Strategies for Awareness
Vulnerability disclosure is key to keeping cybersecurity top of mind. It’s a reminder to take preventative measures against the constant barrage of new vulnerabilities and exposures. Before implementing any marketing strategies, it’s important to first see if the affected company’s vulnerability disclosure policy lists a timeline for when the vulnerability can be made public.
Typically, the time period ranges from 60-120 days after an individual or organization makes the affected company aware of the vulnerability, allowing the company to put in place any patches, before making the news public. Once this time period passes, the news can be made public, with marketing strategies implemented. This is an essential safeguard. If the researchers leaked the news too early, hackers would have a strong advantage and be able to exploit websites and devices that haven’t been pitched, simply due to a lack of awareness.
A key strategy to making the public aware is issuing a blog post on the topic, which details the timeline of finding and verifying the vulnerability and what the current state of remediation is. This blog post can then be promoted via social media and news channels so that more individuals can be made aware of the vulnerability and put in place any necessary patches. The affected company also can put out an alert of their own at the same time, directly to vulnerable customers.
The number of vulnerabilities in the news proves that any organization can be affected by an outside adversary or data leak even with security barriers in place. It’s important to follow guidelines for vulnerability disclosure and then make the public aware through marketing channels, so that more individuals and organizations can protect themselves in the process.
