Inside The Vulnerability Disclosure Ecosystem
Report released by NTIA stakeholders offers new information on how organizations respond to security vulnerabilities - and what researchers think.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte1d59f6f9fd81f03/64f0d93a97db18ca86d55d7e/Slide-1-CoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
A new National Telecommunications and Information Administration (NTIA)-led study of how security researchers and software vendors handle and view vulnerability disclosure provides rare insight into both sides of the equation.
NTIA formed a team of stakeholders from the software industry, security researchers, and industry at large to study how the various players could build a higher level of trust when it comes to disclosing vulnerability information.
“Having more disclosure won’t solve all our security challenges,” says Allan Friedman, director of cybersecurity initiatives at the NTIA. “But it will build a more collaborative environment where organizations can respond to and have good relationships with [stakeholders] in the security field.”
One of the three working groups formed by the NTIA conducted two surveys, one of security researchers and another of software vendors. The researchers survey received 414 responses, and the software vendor study received 285.
On the plus side, 92% of security researchers surveyed say they participate in some form of security disclosure, but 60% say threat of legal action could potentially deter them from working with a vendor to disclose a vulnerability
And while 76% of vendors say they look internally to develop vulnerability handling procedures, only one in three require third parties to develop their own vulnerability handling procedures.
“Cleary there needs to be more work done in working with third parties,” says Friedman. “Especially when so many of the high-profile breaches involved third parties.”
NTIA published three papers from the study, and here are some key takeaways:
The vast majority of security researchers surveyed (67%) communicate with vendors when they find a vulnerability, while another 25% work through a third-party, either a coordinating organization or a Product Security Incident Response Team (PSIRT). Some 4% say they don't disclose security vulnerabilities at all.
A full 95% of security researchers expect to be notified when an issue is resolved, but 32% say they shared a vuln publicly because of unmet timelines, while another 20% consider sharing a vulnerability publicly because the timeline was not met. In other words, despite plans to disclose a vulnerability in a coordinated manner, slightly more than half of researchers were frustrated in their efforts.
At least for this sampling, the influence of bug bounties is marginal, with only 15% of respondents expecting compensation. However, 70% expect regular communication, 57% expect to test any mitigations, and 53% want an acknowledgment from the affected software vendor. Another 20% expect nothing in return for disclosure, and 14% want to remain anonymous. In general, security researchers expect some give and take, but bug bounties have yet to become the norm.
Most mature technology organizations have thought through what to do about responding to vulnerabilities: 76% have completed internal reviews of their policies, 59% have examined the vulnerability processes of peer organizations in their field, and 41% have reviewed ISO standards. Less mature tech organizations need some work in this area, as only 17% have completed internal reviews, 16% examined their peers, and 14% reviewed ISO standards.
A new National Telecommunications and Information Administration (NTIA)-led study of how security researchers and software vendors handle and view vulnerability disclosure provides rare insight into both sides of the equation.
NTIA formed a team of stakeholders from the software industry, security researchers, and industry at large to study how the various players could build a higher level of trust when it comes to disclosing vulnerability information.
“Having more disclosure won’t solve all our security challenges,” says Allan Friedman, director of cybersecurity initiatives at the NTIA. “But it will build a more collaborative environment where organizations can respond to and have good relationships with [stakeholders] in the security field.”
One of the three working groups formed by the NTIA conducted two surveys, one of security researchers and another of software vendors. The researchers survey received 414 responses, and the software vendor study received 285.
On the plus side, 92% of security researchers surveyed say they participate in some form of security disclosure, but 60% say threat of legal action could potentially deter them from working with a vendor to disclose a vulnerability
And while 76% of vendors say they look internally to develop vulnerability handling procedures, only one in three require third parties to develop their own vulnerability handling procedures.
“Cleary there needs to be more work done in working with third parties,” says Friedman. “Especially when so many of the high-profile breaches involved third parties.”
NTIA published three papers from the study, and here are some key takeaways:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024