What Do You Mean You Don't Have a Responsible Disclosure Program?
by Sp3nky
No product is perfect.
You can have security involved from the beginning with the dev group, and something will be missed.
This is still going to happen when you have a fully developed, mature DevSecOps group and program in place. While impressive, it doesn't matter. The group may have a checklist they work through as part of the procedure. While this is not optimal, there will still be people who want to check the box and not be creative with their solutions.
Looking forward, we can't predict future technological advances. Soon, a present vulnerability which may not have been thought of may be detected and exploited. This has been experienced in the past, unfortunately. New technologies being implemented also provide for new attack methods, which are created frequently. These methods may be applicable to being applied against earlier products. Knowing all the advances that will be created in the next 10 to 15 years is not plausible.
With unknown future attacks that may be applicable to your product or services, the prudent move would be to attempt to plan for any future attacks.
This may take many different paths for an organization. A Chief Information Security Officer (CISO) may want to put some process or procedure in place to meet the issue head-on. Any process in place well before an incident clearly would be beneficial. When there's an issue, it is always better to follow a plan. In the alternative, there's always the reactive model, which is never a good thing. The CISO would need to magically come up with a plan on the fly, which is critically needed, in an instant without having the opportunity of putting a couple of weeks of thought and vetting into it. Searching Google for a plan at the last minute isn't exactly the best situation.
This is where a responsible disclosure plan comes into play. When a researcher or third-party finds one of these pesky vulnerabilities in your product, with a responsible disclosure process in place, the issue is manageable. This encourages the testing process to remove as man of these issues as possible up front. The company has their staff working on security, along with researchers throughout the nation and other countries also rooting these out. The researcher or lab finding the vulnerability has a road map to follow when disclosing this. There is a certainty with the process and the people involved have a method of showing the lack of malicious intent and clear focus of helping the industry and company with improving their product.
While this isn't the most glamorous topic, responsible disclosure programs are pertinent and a tool to give researchers some level of assurance that at least no legal action will be taken.
What brings this about is the workplace recently completed a limited scope pen-test of several consumer products (e.g. testing eight hammers from different manufacturers). Through the test, too many vulnerabilities were found. There was no data leakage between these. Each of the manufacturers was contacted individually (again, no cross contamination of test results), asking them what their responsible disclosure program was. Each email included the lab and possibly had information to communicate.
This seems easy enough. Each manufacturer was emailed, letting them know that their product may have issues, and we wanted to communicate these to them in whatever format and method was best for them. Help me to help you. Very simple.
Well, not so much.
It turns out manufacturers did not put an emphasis or much thought into this. There were two manufacturers who had something in place. One was mature, and the other not really, but they were moving in the right direction. The general response was in two forms. There was a lack of response, which is bad. This lack of attention to a valid issue speaks volumes as to the weight and care placed with their products' cybersecurity.
The other general response received was more generic, not addressing there being an issue. These appeared to be more of a copy/paste from another document. This fit the circumstance like a square peg being forced into a round hole. The manufacturers were all contacted at least seven times, except for the two who had some form of a plan in place.
We all know the value of getting ahead of an issue.
Handling a minor issue is so much easier than when it explodes through the network. We've seen what happens when the organization is not proactive. One issue with cybersecurity as a task and function is that it's difficult to quantify the benefits. These aren't tangible as this is with other disciplines (e.g. tax accounting saving the company six million dollars). The same problem occurs with the responsible disclosure programs. Management may view this as a money pit, with the labor, overhead, and any perks provided to the researchers.
There is a need for these programs.
The researchers need to know they can do the research and testing for the product and provide real results for free, and there will be no legal repercussions. The alternative is to treat the non-malicious researchers as quasi-criminals. Naturally, the researchers would not want this and may move towards releasing their findings anonymously or in other venues with no notice.
The responsible disclosure program is a prudent avenue to follow.
The company receives valid tests to help them with their product from researchers for free or with some bounty. In comparing the bounty amount with how much it would cost the company to be surprised with an exploit, the bounty and its benefits are clear.