The message on the business landscape is clear: Vulnerabilities are everywhere. They’re in software, in hardware, in processes, and even in people. It only takes a small, unguarded threat vector for hackers to attack, invade, steal data, and wreck reputations.
Yet, despite this awareness, many organizations exhibit a strong resistance—if not outright hostility—toward vulnerability reports. Instead of being heeded and acted upon, these reports are minimized, challenged, or simply ignored. Unfortunately, this pushback is the daily reality for many “bug hunters,” security researchers, penetration testers, and internal security teams.
At the same time, it is also true that many vulnerability reports are unintelligible, out of context, or riddled with technical inaccuracies. However, this does not prevent some reporters from aggressively requesting (i.e., virtually demanding) fees for reports that, ultimately, have little or no value. Failure to comply can lead to public shaming, escalation to the CEO, or publishing reports that claim to “expose” a business.
Organizations need to have a clear understanding of what must happen to bridge the gap between vulnerability reporters and actionable threat intelligence to keep their data, customers, and reputations safe. At a high level, the solution involves the following paradigm shifts:
- Organizations must establish a culture of strong information security, which includes implementing clearly defined processes and procedures to manage vulnerability reports and enable remediation.
- Reporters must understand business-related risks and documentation detail requirements, and they must also ensure that their reports are well-organized, robust, relevant, and accurate.
Let’s dive deeper into these shifts and consider how to create common ground between reporters and organizations (including specific business units), so they can dramatically reduce—if not eliminate—frustrations, threats, and scenarios where both sides lose versus both sides win.
Organization Failure
We all know the main goal of business shareholders is to create value. While benefit realization and resource optimization are often at the core of business concerns, risk optimization is usually left aside or visited when absolutely necessary. This kind of situation leaves the organization in a state of unpreparedness—with poor visibility and the inability to react and respond to information security threats.
Not surprisingly, such organizations are shocked by vulnerability reports. They can’t anticipate those situations and treat them as incidents. Without a proactive approach, reporters have a hard time finding the email of the responsible function for vulnerability management and might end up emailing the sales function, the CEO, an abandoned mailbox, reaching out via social media or, even worse, just give up trying. Also, some assumptions and expectations might not be shared with them. The report might end up with too little information or contain undesirable and unnecessary information.
Another common inconvenience is feeling harassed by frequent emails from the reporter on a status update. This is most likely because communication delays and frequency are not shared. The worst of all problems is trying to agree on a degree of impact (severity) for each vulnerability. Why does the reporter insist so much on the urgency of remediating an issue the business does not consider impactful? Well, does the business clearly define what is considered impactful? All these issues will spark some disagreement and frustrations between involved parties, which justifies the need of a formal process that is defined, documented, and communicated to appropriate parties. This process is called “responsible disclosure.”
What Can Organizations Do?
A formal responsible disclosure process must be designed, developed, implemented, and published on the business’s main website. It must be easy to find and always available. This process leverages proactivity in handling vulnerability reports by defining authorized reporting channels, assumptions, and expectations, as well as communication delays and frequency and legal terms and conditions. The more transparent the process, the better it is for everyone. This proactive approach will eliminate frictions and surprises that lead to the blame game and state of crisis management.
The responsible disclosure process must have clear degrees of severity to which the reporter can agree. The information security industry relies heavily on the Common Vulnerability Scoring System (CVSS), an industry standard to evaluate a vulnerability’s severity according to its characteristics. It should actively be used when communicating with external reporters. However, this system may not fit well internally. In most cases, it is better to derive the CVSS score with business-approved metrics to produce a risk or a priority score that your internal teams can agree on. As an example, a high-severity vulnerability according to CVSS could derive to a medium or low priority issue because the affected system sits in a lab that is not connected to the internet.
Reporting Failure
It is sad to say, but not all reports are equal. In fact, it even gets trickier when considering that one report that suits one company’s needs might not fit a different company’s needs. The reality is that the reporter has a direct impact on the success of having his report accepted or not. Common factors and actions that contribute to this failure include (but are not limited to) the following:
- A violation of responsible disclosure process
- Poor writing and communication skills
- An unethical approach, such as asking for a “reward” (ransom) for the full report
The responsible disclosure process should be publicly available from the main website of the target organization. It should include all that is needed to report to the appropriate personnel and establish assumptions and expectations, as well as terms and conditions. Not complying with those rules is definitely a hostile way to report a vulnerability. No matter how severe the vulnerability, such behavior might just close any chance to obtain a follow-up or a reward.
Writing and communication skills are also very important and are often neglected by technical people. It is not unusual to obtain reports written with poor and unintelligible sentences. Sometimes, the vulnerability is well-described, but its impacts on the business are misinterpreted due to poor explanation. Reporters need to focus on how it can hurt the business—for example, saying the risk involves “breaching the confidentiality of the customer PII data from your production database.”
Not all bounty programs provide financial compensation. In the instances where responsible disclosure does not mention any reward, asking for money in exchange for a full report is not acceptable and could be considered extortion. Security researchers looking for compensation should focus on bounty programs that explicitly mention financial rewards. Any type of harassment, aggressivity, or threatening will not be tolerated.