The ‘first contact’ is the establishment of a conversation between the security researcher having discovered a vulnerability and the manager of the information system affected; it is the nerve centre of efficient coordinated vulnerability disclosure. How do we enable ‘first contact’ then? We have listed the tools that make it possible in a nifty infographic (in English and en français) for you to peruse.
Security researchers can make significant contributions to increasing products’ digital security. Yet, ‘first contact’ is hard to establish. More broadly, even when a vulnerability is reported, editors may prefer not to acknowledge it. This silence often drives security researchers to resort to public disclosure as a means of pressuring the publishers to correct the vulnerability.
So, how should one address the discovery and interaction intended to correct a vulnerability when this identification is by an individual outside the organisation? Different means exist to promote coordinated vulnerability disclosure (CVD).
The ‘first contact’ is the establishment of a conversation between the security researcher having discovered a vulnerability and the manager of the information system affected; it is the nerve centre of a CVD. How do we enable ‘first contact’ then?
A disclosure policy through a CERT
An organisation hosts a CERT or uses such a service via a managed services company. It is thus possible to direct all vulnerability disclosure reports to the CERT, which will then ensure coordination of the stakeholders, acting as counsel, intermediary and communicator. Likewise, CERTs are in the best position to preserve necessary pre-disclosure discretion. CERTs ensure there is time to fix. They also monitor the assets in question guaranteeing the vulnerability has not been rediscovered or exploited meanwhile.
It is easy to appreciate the need to inform the essential operators, who would be concerned by a given risk, as well as State services crucial to the Nation’s survival. Hence, the management by a CERT ensures such information reaches the third parties concerned in a privileged and fast manner. The communication circle can evolve before the patch reaches all users, thereby avoiding all malicious use. For example, the CERT-EU facilitates such interactions between the various national CERTs.
Indicating communication channels via security.txt
Given the difficulty in identifying an entry point allowing for the escalation of vulnerabilities, experts from the cybersecurity community have proposed a standard: a file named security.txt, located at a known place in the tree structure of each website. That location needs to remain the same across websites; it is the following: www.mywebsite.tld/.well-known/security.txt.
Various organisations, including BlaBlaCar, Facebook and Google have already adopted this communication channel. For now, security.txt is still a draft standard. Indeed, the project has been submitted to the IETF (Internet Engineering Task Force, an international workgroup that participates in the development of Internet standards) for review and eventual adoption as a standard.
Submitting a report on ZeroDisclo.com
ZeroDisclo.com is a non-partisan non-profit platform which enables vulnerability reporting while maintaining anonymity for the discoverer. Thanks to ZeroDisclo, disclosure can also occur via the Tor Browser. Regardless of the web browser the report submitter uses, the report is encrypted with the receiving organisation’s public key, then signed and timestamped by a blockchain. The site sends the report (to a private or national CERT), and the researcher receives a certificate as proof of deposit.
This platform proposes an insightful disclosure process. Indeed, it formalises the report through various criteria enabling the calculation of a CVSS severity score. Even more important, thanks to the report’s encryption, ZeroDisclo acts as a secure ‘transmission belt’. At no time does the platform or the individuals administering it access the details of the vulnerability described.
Thus, coordinated vulnerability disclosure is effortless. Also, ZeroDisclo does not accumulate a dangerous knowledge of the bugs affecting third-party information systems.
Bug Bounty: the comprehensive approach to coordinated vulnerability disclosure
Bug Bounty, also known as crowdsourced security, is a collective means of testing the security of a product or service. Each vulnerability receives a reward by the manager of the system concerned according to its severity and thus the risk that its subsequent remediation reduces. In its current version, a Bug Bounty platform brings together international ethical researchers. These platforms enable coordination between an organisation that wants to test the security of its systems and a community of ethical hackers who receive recognition and compensation for their discoveries.
A Bug Bounty programme submits a digital service (a website, an API, a mobile application) or a product (a connected car) to ethical hackers for them to examine for potential vulnerabilities. In the case of public Bug Bounty programmes, any ethical hacker subscribed to the platform can participate. If the programme is private, only a group of preselected hackers takes part.
Bug Bounty is a future standard for cybersecurity in that it materialises collective responsibility for the reduction of digital risk. It embodies the transition (somewhat contrary to popular wisdom) from centralised control of information security towards a ‘decentralised’ approach. The latter is possible through the involvement of a community of ethical hackers. Besides, this securing by the community reduces the number of vulnerabilities likely to be sold to intermediaries with unclear, if not dishonest, motives. Indeed, through Bug Bounty, the researcher who reports a vulnerability receives a financial reward and bolsters their social capital.
Summing up: ways to mobilise collective intelligence
The global and lasting reduction of risk will come from the cooperation of both public and private actors. An international model in this field is essential to avoid all uncoordinated public disclosure. As such, guaranteeing protection for ethical security researchers is paramount. The issue of information sharing is thus crucial, and private actors play an essential role at this stage. Thus, the VDPFinder plug-in for Chrome and Firefox showcases whether a website one browses has an existing CVD policy. The latter can be an email to a CERT, a security.txt or an ongoing Bug Bounty programme.
We have created the infographic below to summarise the implementation approaches for vulnerability disclosure. Below, you can download the high-resolution file in English and en français. It is free to use under the terms of the CC-by-NC-SA licence.
P.S. Looking for a handy infographic to help you raise awareness about roles and responsibilities in vulnerability disclosure? Here you go.