What Can Vulnerability Reporters Do?
Reporters should first look for the presence of a responsible disclosure process and follow it carefully. For organizations that do not publish information about such processes, they should first be contacted by their support department. This is typically where all external requests come from. Reporters must not send the report until they reach a contact that is responsible for handling the issue. Reporters must also keep in mind that reporting vulnerabilities, especially to a business that is not ready, is a joint operation—in which the reporter must communicate and behave with extra diligence in regard to business representatives. If the business feels threatened, the cooperation will fail. This is where good communication and writing skills come in handy.
The reporter must also consider the business threat model and make sure the vulnerability is impactful. Each vulnerability should be reported with at least a description, a severity score (using CVSS), an analysis explaining factors affecting the probability and impacts of the vulnerability exploitation, and remediation options. References, screenshots, and any other information that may help understand risk and technical aspects of the vulnerability should also be included. For reporters that are internal to the organization, it is not recommended to rely solely on CVSS to evaluate a vulnerability severity. Internal teams have access to more information and should speed up the process by deriving the CVSS severity to a risk or priority score. This extra step will provide a better alignment with business needs in terms of risk optimization goals and risk appetite.
The terms of any agreement for a reporter to be paid or rewarded for extra work requested by the target business should be communicated early and should not restrict the business access to vulnerability information. The same applies if the reporter wants to publish the report publicly. This discussion should be held early to avoid cooperation failure. Currently, in the industry, the rule is to allow the business to fix the vulnerability before going public. For non-cooperative businesses, a deadline of 90 days is usually the norm before going public. However, reporters should be aware of risks of legal actions from a business that does not consent to go public with a vulnerability report.
Is It That Easy?
While designing, implementing, and maintaining a responsible disclosure process will leverage collaboration between reporters and business representatives, there still need to be other processes in place. Such additional processes are needed to remediate and manage risks related to vulnerability reports to avoid unnecessary delays, emergency change errors, and sensitive information leakage.
A good place to start is with the NIST draft on Secure Software Development Framework (SSDF). The practice group called Respond to Vulnerabilities (RV) further speeds up and secures the remediation of vulnerability reports. Organizations can also rely on third-party assistance, such as bug bounty platforms, assessors, and auditors, to help them put in place and refine their program.
On the reporter side, staying professional, focused, technically accurate, and communicative is an art that should be continuously improved upon to help keep businesses, their partners, and customers safe.