4 Pillars for Building a Responsible Cybersecurity Disclosure Program

Software vulnerabilities are a lot like landmines in a war zone: they're hidden in plain sight, seemingly everywhere, and poised to explode when you least expect it.

However, unlike the uniform destructive power of an ordinance, not all vulnerabilities are equal. The software vulnerability severity spectrum spans from innocuous misconfigurations to devastating zero-day exploits that, if triggered, could lead to calamitous data breaches and compromise the integrity of entire systems.

As a security software vendor, Descope relies on partners, users, and other members of the software security community to notify us when vulnerabilities are identified in our products. We also occasionally uncover vulnerabilities in other products. Recently, we discovered and disclosed a serious misconfiguration affecting Microsoft Active Directory applications, potentially impacting any application that uses "Log in with Microsoft" in its authentication flows.

Why Responsible Disclosure Is Critical

Having experienced the trust placed in us by users reporting vulnerabilities, we appreciate the importance of defining and abiding by a responsible disclosure program. Responsible disclosure must strike a delicate balance between meeting the immediate need to protect users at risk with the broader security implications for the entire community.

The Cybersecurity and Infrastructure Security Agency (CISA) reported a record 26,448 confirmed vulnerabilities in 2022, with the number of "critical" vulnerabilities up 59% from the year prior. Yet this represents just a small fraction of reports submitted to vendors, especially over the past few years as more software vendors have enhanced their bug bounty programs.

Software vendors haven't always been receptive to soliciting vulnerabilities from third parties. In 2015, Oracle's CSO famously penned a 3,000-word open letter pleading with customers to quit reverse engineering and publicizing flaws in its software. In some extreme cases, individuals who reported vulnerabilities have even been threatened with criminal prosecution.

Software vendors have come to appreciate the value of crowdsourced penetration testing. Many have created incentives to reward users and threat researchers for finding and reporting vulnerabilities. However, even as these bug bounty programs grow in prevalence, challenges persist to make the process streamlined, transparent, and beneficial for all parties. The vast number of vulnerability reports also highlights the need for a structured and responsible approach to manage, address, and rectify these vulnerabilities.

The primary goal of vulnerability reporting remains making software as secure as possible for end users. Transitioning from a reactive to a proactive stance demands more than just open channels for reporting. It necessitates development of a comprehensive framework that sets guidelines for both reporters and vendors.

4 Key Principles of Responsible Cybersecurity Disclosure

Crafting a responsible disclosure program is in the best interest of every constituent in the software community. Consider the following four principles as core pillars for constructing an effective responsible disclosure program.

1. Be Clear and Transparent. A clear and transparent communications process should outline the key elements of the disclosure process, identify the designated points of contact, and chart expected timelines for a response. Balancing the urgency for immediate disclosure against allowing the software vendor sufficient time to rectify the issue is a crucial aspect of this process.

Generally, the industry standard is to grant 30 days for the software vendor to address the vulnerability, although this timeline can fluctuate based on the extent and gravity of the vulnerability. For organizations offering a bounty program, it's essential to maintain transparency about the program's operation, which includes articulating how and when reports will be compensated and the types of vulnerabilities that are eligible for rewards.

2. Foster Trust, Not Fear. Consistent and open communication with researchers and ethical hackers who identify vulnerabilities is vital to cultivate an environment of shared accountability, open conversation, and mutual trust. Assuring contributors they won't face legal consequences for reporting a vulnerability is paramount.

In today's interconnected software landscape, a poorly managed vulnerability disclosure program can negatively impact the entire software ecosystem. Therefore, it's essential to exercise discretion, particularly when it comes to disclosing information about other parties — including competitors — who may be impacted by a similar vulnerability. This not only demonstrates professional respect and fairness but also reinforces the collaborative ethos vital to maintaining industry-wide security.

3. Establish a Comprehensive Triage Process. Investing in a well-documented triage framework is a cornerstone of every mature vulnerability management program. It provides security teams with a structure for prioritizing vulnerabilities based on their potential impact and their likelihood of exploitation.

Beyond prioritization, a robust triage process also facilitates responsible communication and decision-making with a range of stakeholders — from software developers who implement the fixes to users who must be properly informed about any potential risk. A triage process holds critical importance in heavily regulated industries that are subject to stringent regulations and require that specific types of vulnerabilities be reported and addressed within a designated timeframe.

4. Continuity Is Crucial. Today's threat environment is highly dynamic and requires a continuous and adaptable process for identifying, reporting, and patching vulnerabilities in a timely manner. It's likewise important to routinely review and update your disclosure program to ensure its efficacy and relevance in the context of the current threat landscape. This means your procedures, tools, and strategies should not only address existing vulnerabilities but also prepare for future ones.

A culture of continuous improvement should incorporate feedback from various stakeholders and lessons learned from past experiences. Harness insights garnered from the evolving threat landscape to refine your disclosure program.

The Whole Is Greater Than the Sum

Responsible disclosure emphasizes that in cybersecurity, the collective strength derived from the collaboration of researchers, vendors, and users surpasses the capabilities of any individual component. Just as the whole is often greater than the sum of its parts, cybersecurity is not merely a single organization's or individual's concern; it's a shared duty in our mutual pursuit of a secure digital world.