Share this blog:

Don’t let vulnerabilities become your weakness: implement a Coordinated Vulnerability Disclosure program

Each year in October, it is European Cyber Security Month (ECSM). To raise awareness but also to share knowledge and organise interesting events around this subject. This year’s themes are #CyberFirstAidKit and #CyberSecurityFromHome. So we’re putting out some great content for you this month! Starting with this blog about Coordinated VulnerabilityDisclosure programs.

Coordinated Vulnerability Disclosure (CVD) - is a model in which a vulnerability or issue is only disclosed after a period of time that allows it to be patched up. That’s quite some fancy language, so let’s try it this way: Coordinated Vulnerability Disclosure makes sure that once a weakness is found, it’s reported to you with enough time to patch it up before it is shared with the world.

A simple process in a seemingly complex situation 

A Coordinated Vulnerability Disclosure Policy is a clear guideline on how a researcher (or ethical hacker) can report a vulnerability and explains how the organisation is going to handle that report.. A Coordinated Vulnerability Disclosure program structures the things your researchers find and gives you an overview of the weaknesses found. This is much better than receiving random emails from people that found something wrong with your online environment, filled with text, terms and content you don’t understand, right?

Not really the subject you’re looking for? We’ve got plenty more content for you to go through!

‍There are four ways a researcher can handle the information of a vulnerability:

  • Non-disclosure
    The researcher keeps the information to themselves. They often fear legal repercussions when sending it in or want to use the vulnerability as leverage.
  • Limited Disclosure
    The researcher shares only a limited amount of information with a limited number of parties. This puts pressure on companies to quickly fix the vulnerability to prevent exploitation.
  • Full Disclosure
    The researcher or criminal releases the vulnerability publicly. This puts companies at risk if they cannot resolve the issue fast enough.
  • Coordinated Vulnerability Disclosure
    The researcher directly contacts the company with a report that isn’t shared publicly until the vulnerability is fixed.

The Starbucks example

A while back in 2015, a man named Homakov found a vulnerability in the Starbucks gift card environment. This vulnerability is known as a race condition and allowed him to transfer endless amounts of money to gift cards - without having to dip into his bank account. To test if an exploit like this would work, the researcher bought three $5 cards. He managed to transfer the $5 balance from card A to card B, not just once, but twice. As a result, Homakov now had a total balance of $20. A - fraudulent - gain of $5.

The researcher decided to test this in real life and made a purchase at his local Starbucks. It worked. Being the ethical hacker he is, he tried to report this to Starbucks but did not manage to get in touch. So Homakov decided to fix it. When Starbucks responded, they were not happy with his find and even accused him of abusing the vulnerability. It might have been that his emails got lost, or his alerts were not processed properly. We hope - and assume - Starbucks has since then implemented a well working CVD plan, so these kinds of alerts are no longer overlooked or misinterpreted.

Zerocopter’s CVD program

Coordinated Vulnerability Disclosure is a form of disclosure: the transfer of information from an external source to a company or organisation, in this case regarding the security of IT systems. With Coordinated Vulnerability Disclosure, the vulnerability is only disclosed when it is fixed or after a certain period of time. Organisations can then fix the vulnerability or assess associated business risks that may come from it. Zerocopter allows you to set up your own Coordinated Vulnerability Disclosure program, making it easy for people to report an issue.  
And not only that: we go through the alerts for you. This way we collect, summarise and prioritise the alerts for you and you’ll know what to focus on.

Sleep better with a good CVD program

It is impossible to develop a program which is impervious to tamper with. A program can be built with an endless number of protections and security measures, but there will always be some form of weakness. For this reason, security flaws should not be seen as shameful but as a source of inspiration to build more robust defences. Starting with CVD can help awaken the needed motivation as well as help form.

You’re able to fix the vulnerability or assess associated business risks that may come from it. At Zerocopter, we offer you such a program and this is how it benefits you:

  • You’re not obliged to pay the researcher.
    Yes, you can credit them or decide to reward them anyhow, but you’re not obliged to.
  • Saving time means saving money
    There’s no need for you to dive into all the alerts you get: we’ll cherry pick the ones that are valid and complete for you and need your direct attention.
  • It’s a simple process in a seemingly complex situation.
    Without a CVD policy, reports come in at many different channels (phone, LinkedIn, service desk, etc.). Opposed to our platform: everyone can refer to a link and that's it.

Make sure you don’t run into the hassle that Starbucks did so many years ago: just let them serve you coffee 😉 


Written by Zerocopter

October 14, 2021

Share this blog:

Want to know everything about Zerocopter?

Download our brochure
Zerocopter brochure - Always one step beyond