Chief Information Security Officers wake up to a full inbox every day. The job is to reduce the risk of a security incident, protect your organisation’s digital assets, and ensure private and personal data are safe now and in the future. Keeping those assets secure is an ongoing task; many CISOs find that it is also impossible to scale security with internal resources alone.
Users will discover security vulnerabilities in your systems. If an obvious reporting channel is unavailable, they are faced with an undesirable choice: contacting the CISO directly, reporting the vulnerability publicly or doing nothing. All of these options can lead to critical vulnerabilities remaining unreported, unknown, and unresolved.
The Obstacles in Place When Reporting Security Risks
Walking past a neighbour’s house, you see their back door has been left wide open. What would you do? You would probably call them, or send them a message to check everything is ok.
However for organisations, it’s not that simple. When businesses do not empower hackers to disclose a vulnerability, the vulnerability puts the business and the public at risk. Reporting security vulnerabilities can place legal risk for the hacker and hackers may withhold vulnerable information or publish anonymously. On the other hand, when hackers report anonymously, it makes it difficult for organisations to obtain key information they might need to fix the vulnerability, and hackers do not get appreciation or confirmation of the fix in return. Both options make it impossible to ensure that security vulnerabilities are safely resolved.
Why Use RDs?
A vulnerability disclosure policy (VDP), often referred to as “Responsible Disclosure” (RD) in Australia, is the “see something, say something” of the internet. It is intended to give anyone who stumbles across something amiss clear and formal guidelines for reporting it to the proper person or team responsible. It also gives internal security teams an easy means to receive, evaluate, and communicate such findings. In fact, the Australian Cyber Security Centre (ACSC) encourages security researchers, customers and members of the public to responsibly report security vulnerabilities directly with organisations, vendors and service providers.
CISOs and other organisational leaders need to start thinking about how to advance security and privacy initiatives to achieve business goals and manage risk effectively. Adopting recommended guidelines outlined by the ACSC in the Australian Government Information Security Manual (ISM) helps unify security standards and helps organisations strengthen their security posture as the threat and regulatory landscapes evolve. The ACSC updated the ISM in August 2020 to include new security controls (Security Control 1616) which recommend the implementation of a vulnerability disclosure program to support the secure development and maintenance of products and services. The aim of this security control is to establish a channel by which outside parties can notify organisations about security vulnerabilities discovered in their products and services so that the organization can properly implement security patches, updates or mitigations; thus, ensuring the safety and security of product or service for the end user.
Responsible Disclosure is becoming an established best practice and even a regulatory expectation. Australian organisations such as Australian Post, Australia’s Department of Health and Australia’s Department of Home Affairs have published their own VDP guidelines. Governments are also taking the lead in establishing VDPs — The Queensland Government has also built a VDP program, for example.
How to Implement Responsible Disclosure Programs
RD policies are simple, cost efficient, and quick to establish. If it is done correctly, the policy can be the base of a complete vulnerability disclosure program. RDs should contain enough detail to help both you and the researchers improve your security. Our guidance is that a RD should at minimum include the following 5 critical elements:
- Promise: State the mission behind the policy and explain your commitment to security, customers, and others. Include statements on why this policy was created, why it is important to have a public policy, and what it is expected to accomplish.
- Scope: Specify what is fair game, and where attention is requested or not allowed. Also state which types of vulnerabilities should be reported and which are excluded. Limitations may also be put on products or versions, or to protect data or intellectual property.
- Safe Space: Write a good faith commitment that reporters will not be penalised. Essentially say, “We will not take legal action if…”; This gives needed reassurance to those disclosing a vulnerability, so make the language inviting, non-threatening, and clear.
- Process: Detail how finders should submit reports and what information you would like to see. This is where you can set expectations for later communications. Using a secure web form to submit reports can ensure all key information about the vulnerability is detailed.
- Preferences: Set non-binding expectations for how reports will be evaluated. This can include the duration between submission and response, confirmation of vulnerability, follow-on communications, expectation of recognition, and/if/or when finders have permission to publicly disclose their findings.
Publish the policy on an accessible, easy-to-find website. Most organisations publish their vulnerability disclosure policy on their own website, including an email address specifically for submitting security issues.
We live in a world in which security researchers, friendly hackers, customers, journalists, and tech hobbyists are finding vulnerabilities every day, as no system is ever entirely free of security risks. Providing external parties a clear channel to report security issues through the use of Responsible Disclosure enables an organisation to reduce the risk of a security incident. It places the organisation in control of an often chaotic workflow, keeping your organisation’s assets secure with the power of the hacker community.