Digital Vigilantes Weaponize Vulnerability Disclosure

Over the next two years, vulnerability disclosure will evolve from a predominantly altruistic endeavor to one that actively damages organizations. Attackers will search for, and publicly disclose, vulnerabilities to undercut competitors and destroy corporate reputations. Fraudsters will manipulate financial markets by releasing exploits at opportune moments. A lack of regulation will lead to a culture of digital vigilantism whereby vulnerability disclosure is weaponized for commercial advantage.

Organizations will be caught unaware as their vulnerabilities are disclosed at an accelerated pace, often without knowledge or consent. They will face unachievable timeframes to fix disclosed vulnerabilities, draining internal resources. The release of exploit code, the self-propagating nature of some malware and the interconnectivity of devices could see vulnerabilities exploited faster than ever before (accelerated by developments in AI) with major impacts to business.

Software providers and organizations that rely on their products will experience disruption from strategic vulnerability disclosure by rogue competitors, organized criminal groups and hacktivists. Given the global dependence on commercial software, the weaponization of vulnerabilities will have far-reaching consequences for businesses and their customers alike.

What is the justification for this threat?
Currently the key players concerned with vulnerability discovery and disclosure are big tech giants, which have significant resources. Google's Project Zero and Microsoft's vulnerability discovery team are examples of well-known vulnerability disclosure program which actively search for vulnerabilities in their own and other companies' software.

To date, big tech giants have been able to define their own policies and practices regarding vulnerability disclosure. This enables the redefinition of policies at will, justifying the strategic disclosure of vulnerabilities that directly undermine the reputation or commercial viability of other organizations. Google, in particular, has its own disclosure guidelines for the release of vulnerabilities in third party software, disclosing them in confidence before giving 90 days to issue a patch, after which the vulnerability and exploit code are publicly released.

In 2016, Google discovered a vulnerability in Microsoft's Windows 10 operating system that allowed an attacker to break out of a sandbox environment. Google categorized the flaw as critical, and publicly disclosed the vulnerability ten days after reporting it. Microsoft criticized the disclosure and responded with the statement: "We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk."

In 2017 Microsoft publicly disclosed a Google Chrome web browser vulnerability, alerting Google to its discovery 30 days prior to the disclosure. The outcome of this tit-for-tat exchange was a more constructive approach to disclosure adopted by both parties. However, it does highlight the potential for vulnerability disclosure to be weaponized.

A market for vulnerability acquisition is emerging, driven by organizations such as Zerodium, which will pay millions of dollars for individual zero-day vulnerabilities. This illustrates the increasing monetary value of vulnerabilities and potentially changes the motivation for disclosure. As criminal groups or nation state actors understand the potential of zero-day vulnerabilities, unethical vulnerability disclosure will escalate, leading to more vulnerable software and associated disruption to business and endangerment of customers.

Vulnerabilities may also be monetized in other ways, such as by manipulating the share prices of organizations. For example, in March 2018, a small security company claimed to have found vulnerabilities in AMD processors, releasing the details shortly afterwards. About 30 minutes later a financial organization published an "obituary" for AMD citing the recent vulnerability discovery as evidence the company was now worthless and would have to file for bankruptcy. Links between the research company and financial organization later surfaced, showing it to be an attempt to game the stock market. Whilst these attempts to use vulnerability disclosure to short stock ultimately failed, it is just a matter of time before cases of vulnerability disclosure grow in scale and complexity.

The market for buying and selling vulnerabilities will continue to expand at an alarming rate. At the same time, AI developments will accelerate the speed at which vulnerabilities are found. Organizations will be faced with an unsustainable patching regime, and will face significant disruption and damage if vulnerabilities are exploited.

How should your organization prepare?
Dealing with zero-day vulnerabilities should be business as usual for organizations. However, as vulnerability disclosure becomes weaponized this will require re-evaluation of current approaches to patch management, threat intelligence and resilience.

In the short term, organizations should review and improve processes for managing technical vulnerabilities to include vulnerability scanning, remediation and patch management systems. They should also carry out more targeted and detailed penetration testing.

In the long term, vendors should invest in secure coding practices and increase threat intelligence activities in conjunction with threat hunting to move from a reactive to a proactive stance. Organizations should also implement a cyber resilience program and ensure that zero-day vulnerabilities are a tested scenario during a cybersecurity exercise.

— Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.