US pressure increases for vulnerability disclosure programmes
The US Federal Trade Commission (FTC) and Department of Justice (DOJ) are signalling that in the future organisations must have some form of vulnerability disclosure programme (VDP) that lets good-faith security researchers report bugs. Most organisations lack any kind of VDP at all. A recent HackerOne study found that 94% of the Forbes Global 2000 do not have any way for researchers to report security issues.
A VDP offers a secure channel for researchers to report security issues and includes some process for triaging and mitigating those bugs in an appropriate manner. A VDP has become an industry best practice, and regulators and law enforcement are paying attention. The FTC, in public testimony in June to the American Consumer Product Safety Commission, signalled that failure to have at least a rudimentary VDP could be a violation of the FTC Act:
“In many cases, the FTC has alleged, among other things, that the failure to maintain an adequate process for receiving and addressing security vulnerability reports from security researchers and academics is an unreasonable practice, in violation of Section 5 of the FTC Act.”
“Disclosing vulnerabilities to software and hardware vendors and manufacturers is crucial to protect our digital society. If we do not seriously address this issue in EU cybersecurity policies, we are acting as if only simply rearranging the deck chairs on the Titanic,” Marietje Schaake, MEP
The US DOJ is making similar noises. Its 2017 “A Framework for a Vulnerability Disclosure Program for Online Systems” offers a non-binding framework (but a heavy-handed hint) of what a VDP should look like. Today’s framework is likely to be tomorrow’s law.
The DOJ’s framework comes from the Criminal Division’s Cybersecurity Unit and focuses on helping both researchers and organisations avoid unnecessary Computer Fraud and Abuse Act (CFAA) misunderstandings. “The framework outlines a process for designing a vulnerability disclosure programme that will clearly describe authorised vulnerability disclosure and discovery conduct,” the document’s authors write, “thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.”
Industry best practices have now been encoded in the rough drafts that will at some point become law. What does your organisation need to do to be compliant?
A VDP is not a bug bounty
The FTC’s comments and the DOJ framework avoid specifying a particular model for a VDP, such as ISO 29147 and 30111, and are clearly meant to enable innovation and experimentation with what works—and what does not—for different organisations.
It is also clear that the FTC and DOJ are in no way pushing organisations towards bug bounties. “No one is saying you should pay hackers,” Amit Elazari, a doctoral law candidate at UC Berkeley who studies legal issues surrounding VDP and bug bounties, says, “but you should at least have a channel of communication.”
Many companies confuse a VDP and a bug bounty, bug bounty pioneer Katie Moussouris said earlier this year. “It’s dangerous when people think that bug bounties are the same as vulnerability disclosure,” she said at the time.
A bug bounty offers financial incentives for hackers to look for security flaws. However, companies should not engage in a bug bounty until they’ve done in-house testing and, more importantly, built up their in-house process to handle reported vulnerabilities. “When you do a VDP, the DOJ suggests it’s not just the policy, it’s the capacity to triage, to address reports and fix the issues reported,” Elazari says.
Dealing with reported bugs is much harder than simply receiving good-faith security reports. Opening the flood gates of bug reports without any way to address them could open your organisation to legal liability.
Utilising bug reports
It is not enough to simply have a channel open to receive security issues from good-faith researchers. You actually have to do something with those bugs. Failure to triage and address reported issues could be perceived as negligence.
“‘Adequate process’ is not just a ‘security@’ email but a more comprehensive programme,” Elazari says. “Once you have the report you can’t just turn a blind eye. You will need to patch. You have seen the information; it’s becoming a higher level of negligence.”
How not to run a VDP
Sent a vulnerability disclosure to @Dominos_UK email address. I haven’t had any response but that address has mysteriously ended up on a Domino’s marketing list! Stroll on!
— David Rogers (@drogersuk) July 31, 2018
The question then becomes how to demonstrate due diligence when challenged, in either a court of law or of public opinion. Compliance with the DOJ framework would be a highly defensible choice, Elazari suggests. “If you get to a stage that you need to actually prove what is an ‘adequate process,’ following the DOJ guidelines (even if they are just a recommendation) makes sense,” she says.
The future is VDP
The time is coming soon when some form of vulnerability disclosure programme will be mandatory for all organisations. Critical security issues at one company increasingly affect all of society in our interconnected world. Putting your house in order and leaving out a welcome mat for good-faith security researchers who want to help is now industry best practice. Regulators like the FTC can, and will, enforce this new norm.
“We’re going to see wide adoption of VDPs,” Elazari says.
European task force
Here, the Center for European Policy Studies (CEPS) Task Force on Software Vulnerabilities in Europe released a final report on 28 June calling for an EU-wide strategy for soft- and hardware vulnerabilities disclosure. The report details how European countries are dealing with vulnerabilities disclosure currently, and offers practical recommendations to improve coordinated disclosure of software vulnerabilities in both private and public sectors.
Chaired by MEP Marietje Schaake, she said report demonstrates there is much work to be done to create a common, European approach towards vulnerability disclosure, highlighting that 13 member states are currently considering setting up a coordinated vulnerability disclosure (CVD) process.
“Disclosing vulnerabilities to software and hardware vendors and manufacturers is crucial to protect our digital society. If we do not seriously address this issue in EU cybersecurity policies, we are acting as if only simply rearranging the deck chairs on the Titanic,” said Schaake,
The task force chair went on to say that ENISA can play a role in ensuring the process does not end up with widely diverging policies.
“In the long run, we also need to agree on a single interpretation of what constitutes hacking, or illegal access to a computer system, in order to avoid a chilling effect on vulnerability research. A Dutch researcher who finds a vulnerability in Spanish software should not be treated differently from a Spaniard who reveals a weak spot in Dutch software.”
IDG News Service and TechCentral Reporters