Companies and security researchers are coordinating more closely than ever
24 September 2019 | 0
Software companies and security researchers believe that disclosing vulnerabilities to improve security is good for everyone, according to Veracode’s Exploring Coordinated Disclosure study. The report examined how organisations and security researchers work together when vulnerabilities are identified.
It found that 90% of respondents agreed that disclosing vulnerabilities improves how software is developed, used and fixed. The software industry acknowledges that unrecognised vulnerabilities can have enormous negative consequences for businesses, consumers, and economic stability.
Veracode’s research also found that unsolicited vulnerability disclosures happen regularly. More than one-third of companies have received an unsolicited vulnerability disclosure report in the past 12 months. Of those companies, 90% said vulnerabilities were disclosed in a coordinated fashion between security researchers and organisations.
It also highlighted that organisations will collaborate to solve issues. Indeed, 75% of companies have an established method for receiving a report from a security researcher. While 71% of developers feel that security researchers should be able to conduct unsolicited testing.
Security researcher’ expectations for remediation time are not always realistic, according to the study. After reporting a vulnerability, 65% of security researchers expect a fix in less than 60 days. That timeline might be too aggressive considering. Recent research from Veracode found that 70% of all flaws remain one month after discovery and nearly 55% remain after three months.
Bug bounty programs get the lion’s share of attention related to disclosure. But, according to the research, the lure of a payday is not driving most disclosures. While 47% of organisations have implemented bug bounty programs, just 19% of vulnerability reports come from them. In fact, such programs often prove inefficient and expensive.
“The alignment that the study reveals is very positive,” said Veracode chief technology officer and co-founder Chris Wysopal. “The challenge, however, is that vulnerability disclosure policies are wildly inconsistent. If researchers are unsure how to proceed when they find a vulnerability it leaves organisations exposed to security threats giving criminals a chance to exploit these vulnerabilities.
“Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day.
“A strong disclosure policy is a necessary part of an organisation’s security strategy and allows researchers to work with an organisation to reduce its exposure. A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.”
The study involved 1,000 participants from a range of industries in Germany, France, Italy, UK and US. Respondents were required to have an average to high level of familiarity with vulnerability disclosure models to participate.