Over the last few years, there has been a rise in the number of vulnerabilities that have been publicly announced. According to a “Good Practice Guide on Vulnerability Disclosure” by European Union Agency for Network and Information Security (ENISA), published in December 2015, the volume of vulnerabilities reported in 2014 represents a year-on-year increase of approximately 53% relative to 2013. Several high-profile vulnerabilities reported to the public in 2014, such as Heartbleed, POODLE, Shellshock and Sandworm, had far-reaching consequences and, therefore, re-opened the discussion on vulnerability disclosure procedures in general.
As the threat landscape continues to evolve, it becomes extremely important that stakeholders address these challenges and adopt vulnerability disclosure practices that can help minimize damage and strengthen security:
1. Use existing documents. Official documents, such as Organization of Internet Safety document (OIS) and ISO standards, often provide a set of useful guidelines on how to carry out responsible disclosure and set up a viable vulnerability disclosure policy. To avoid reinventing the wheel, it is essential for key stakeholders to refer to these documents when creating a vulnerability-handling scheme; at the same time, the community needs to enhance availability of these documents to stimulate improvement of disclosure practices.
2. Facilitate effective communication. This practice consists of three sub-practices. Firstly, vendors should have a clear and reachable point of contact to deal with vulnerability reports in order to prevent reporters from spending time and resources searching for a right contact. Secondly, vendors should have a viable disclosure policy in place and ensure it contains information about the primary point of contact, information required from reporters, vulnerability response mechanisms and timeline of the process. Finally, regular communication with key stakeholders will make the disclosure process more transparent and manageable, as well as ensure it does not lead to unexpected outcomes.
3. Disseminate information about vulnerabilities. With respect to regular users of products or services, spreading information about vulnerabilities is vital. Details about the vulnerability and its solution, if available, should be disseminated to inform users of any developments and give them an opportunity to protect themselves. The decision on how much information should be made public depends on a particular case and should be agreed to by all stakeholders.
4. Address vulnerabilities on a timely manner. There is a consensus among practitioners that timelines are a vital part of vulnerability disclosure. Without timelines, certain vendors may postpone fixing vulnerabilities indefinitely. Providing vendors with short embargos for the development of a solution makes them act more efficiently, since they cannot just “sit” on a vulnerability for months without any response. Additionally, to reduce risks associated with disclosure of unfixed vulnerabilities, vendor community and reporters need to work towards an agreement about reasonable timelines to address a particular problem.
5. Ensure flexibility in reporting and disclosing. Since the “one size fits all” rule does not work in case of vulnerability disclosure, flexibility in terms of the way a problem is reported and subsequently treated becomes essential. Flexibility, just like responsiveness, ought to be a two-way street to ensure there is common ground for achievement of the ultimate outcome. As an example, flexibility is crucial with respect to patching for critical infrastructure sectors, which is more complicated and requires more time for vendors to develop a patch.