Vulnerability Disclosure is Not One Size Fits All (and that’s okay)
Vulnerability disclosure is one of those topics that generates strong reactions. It’s not surprising that anything directly tied to vulnerabilities tends to draw focused attention from the broader cyber community. Overall, it’s a good thing that’s the case.
That attention is a big reason why much thought continues to be dedicated to defining frameworks that dictate what happens from the time of a vulnerability’s discovery to when it is disclosed to an affected agency or organization, and ultimately to customers or end users. There are internal and external aspects in response to vulnerability disclosures. In the ideal scenario, the internal aspect begins when a researcher or other trusted entity discovers the vulnerability and informs the affected organization. From there, an organization focuses resources to deliver a fix in a timely fashion. The discovery and remediation phases—are internal ones. And those internal phases receive much of the attention.
External disclosure window begins once affected end users receive notification regarding the vulnerability, notified of the fix itself and are then given time to apply that fix. Allowing for patch time needs to be part of the equation. That’s the thinking behind Google’s Project Zero recent update to its vulnerability disclosure guidelines where they’ve added 30 days to allow for patch adoption and deployment. They made it official after a pilot period, which they kicked off soon after seeing that nearly 25% of the detected zero-day exploits could have been avoided with more thorough patching efforts.
Google’s Project Zero team isn’t perfect. And sometimes even their team members disagree on parameters around disclosure. But, there’s no denying the impact it’s had on how organizations look at security since it came into existence in 2014. These days, many companies tend to follow Google’s guidelines, as evidenced by the chatter from cyber experts in reaction to their recent policy changes. Google’s Project Zero also has directly or indirectly influenced other organizations to build bug-hunting teams like Microsoft’s recently-formed Microsoft Edge Vulnerability Research group that focuses on keeping the Edge browser more secure.
In the public sector, governments around the world have actively contributed resources to the cause. Both the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency sponsored the international, community-based Common Vulnerabilities and Exposures (CVE) List back in 1999. It’s been an important resource that continues to serve public and private institutions alike since then.
Federal agencies like CISA provide their own vulnerability disclosure guidelines for public institutions. Like the private sector, it tends to focus on core security issues. Other agencies like Health and Human Services and the Department of the Interior create vulnerability disclosure policies focused on keeping private information like PII or health records private.
The recent Sunburst hack underscored the need for re-thinking how we approach security. Government and industry need to come together after such incidents to find ways to prevent future attacks and vulnerabilities. Doing so will benefit both sectors and improve cybersecurity for the U.S. overall. This position has been long advocated by cybersecurity leaders like Admiral Michael Rogers (retired), former director of the NSA and former commander of U.S. Cyber Command:
I want to be in a situation where the pain of the one leads to the benefit of the many,” Rogers said. “So if one company, one entity is dealing with the problem, we use that as a way to improve a broader set of actors.”
Having a uniform U.S. policy versus a fragmented, state-by-state approach will make it easier for agencies and corporations to work together to close vulnerability loops. After all, state-by-state fragmentation causes cracks in the system, which is analogous to the gaps that could arise out of a continued point-product approach that creates loosely integrated fabrics instead of airtight security postures.
I’m not surprised to see that the recent Executive Order from the Biden administration leads with a call for a more cohesive and holistic approach to cybersecurity since the administration made it clear it was seeking input from the private sector on software procurement standards. Requiring clear and common terminology will be a starting point for everyone.
A fundamental emphasis on software security, not hardware is also key. As will having more automation in incident detection, response and reporting. All of this will enable more consistent controls and policies that can enforce security in multiple environments and form the foundation for a strong cyber posture. The sum of the parts is greater than the whole.
Though I’ve focused this post on the United States government and commercial companies, it’s clear that the topic of vulnerability disclosure policy sparks global interest. That’s why the Centre for European Policy Studies (CEPS) created a task force to write the 100+ page report Software Vulnerability Disclosure in Europe in 2018. And though GDPR compliance is a different requirement, it also plays a role in the timing of breach disclosures for organizations like Facebook. No doubt we’ll see others down the road.
No single agency, organization or country has all the answers. The sheer complexity of today’s digital landscape means there’s no one size fits all approach to responsible disclosure. But focusing increased levels of public and private funding and resources on finding and fixing vulnerabilities represents a better path forward for the cybersecurity industry.
Some related resources:
- Forcepoint Product Security – Report an Issue
- Google Project Zero – Policy and Disclosure: 2021 Edition
- Google Project Zero – Vulnerability Disclosure FAQ
- CISA Coordinated Vulnerability Disclosure Process
- Department of Health and Human Services – Vulnerability Disclosure Policy
- Department of the Interior – Vulnerability Disclosure Policy
- Centre for European Policy Studies - Software Vulnerability Disclosure in Europe