What's the key to a successful Coordinated Vulnerability Disclosure process?
According to Cybersecurity Ventures, the year 2021 has faced several cyber crimes that caused damages of $6 trillion worldwide, and what’s more worrying is that these costs are expected to grow by 15% every year over the next five years.
That is why the Council and the European Parliament came up with a new directive, NIS2 (Directive on Security of Network and Information Systems) with the goal to strengthen organizations’ security across Europe. In comparison with NIS, the NIS2 directive will not only affect large companies, but also small and medium-sized enterprises (SMEs), which carry out ‘essential activities’ or do business with companies that do. The proposal lists various elements of security that companies must implement, one of which is vulnerability disclosure.
Organizations that do not comply with the directive could be facing a fine. However, we should not think of this implementation as something that must be done because it’s imposed by law, but we should perceive it with the intrinsic interest and motivation to create and maintain digital security on a high level.
Moreover, having a Coordinated Vulnerability Disclosure (CVD) policy published on your website has a variety of positive effects: not only does it help with compliance and make your company more secure, but it also shows the world that you take security seriously and pay attention to these issues. In addition, it also opens the door for the large community of helpful security professionals that might, sometimes by complete accident, find something related to your company. Having this policy published will give them a clear and safe route to help/reach out to you.
But it doesn’t end here.There also needs to be a process to handle the incoming reports. This process, in turn, needs commitment from management and reservation of capacity to respond adequately to vulnerabilities. Some organizations might already have procedures in place on how to deal with vulnerabilities, for instance, those found during a penetration test. The process for handling vulnerabilities reported through the CVD program can often tie into these existing processes.
Having disclosure policies is nothing new. In 2013, the Dutch National Cyber Security Center(NCSC) published a guideline for Responsible Disclosure that would pave the way for what is now the Coordinated Vulnerability Disclosure policy. Since then, the NCSC constantly encourages public and private entities to implement such policies. Why? Because the NCSC believes a trust-based cooperation within the community will make the digital world more secure, and so do we!
Today we would like to say a few words about how to handle the disclosure process in the right way, why it is important to do so, and what actually makes a good CVD program.
To begin with, we believe that communication is the key to a successful CVD process. A great advantage of CVD is that you can decide how you would like the researcher to report found vulnerabilities and manage expectations upfront by communicating how you will handle the reports. We would like to go through some points on how to communicate about, during, and after the disclosure process.
Communication about the disclosure process
In the CVD policy, an organization describes the conditions that should be met for the report to be taken into consideration, and can make a promise about how it will be handled. One of the most important things that need to be clearly stated is the principle of “safe harbor”- meaning that the organization will not report the reporting party, or take other legal steps, as long as the research and reporting have been carried out within the conditions described. It is advisable to clearly define which targets are in the scope of the policy and which research methods are allowed. This is also the place to define the way communication will go after a report has been submitted, for instance, a time frame in which the reporter can expect a response. Also, it is possible that, at some point, you would like to adjust the CVD policy, so it is important to notify the reporting parties about these changes and when they have been made. You can do that by providing the date of the publication of the updated policy. Additionally, the company should also state how the researcher will be acknowledged and which, if any, form of reward he or she will be given.
Communication during the disclosure process
At this stage, it is important that after the researcher has reported a vulnerability, the organization communicates about the solution period, as well as sends frequent updates to the reporter about the stage of resolution of the flaw. In case there are any setbacks, and the organization is unable to meet the deadline, this also should be communicated. Being open and transparent about the process and progress will prevent any frustrations. Most of the time, the reporters will be considerate if things take longer than expected, as long as this is clearly communicated.
Communication after the disclosure process
At this stage of the process, the organization should clarify whether the researcher would like to have public recognition, as for some reporters it may be important, while some would like to stay anonymous. Some companies have a hall of fame on their website, letting others know who contributed to their online security. To show even more appreciation to the researcher a reward can be given when the vulnerability is patched. This token of appreciation can be company swag or even a monetary reward. A great example is the “I hacked the Dutch government and all I got was this lousy t-shirt” shirt that the Dutch NCSC sends out as a reward. The reporters appreciate the recognition, even if it is something simple like a t-shirt which can be seen in this tweet by our security analyst Lennaert Oudshoorn.
Finally, after the CVD process is completed, the researchers may also inform others about the vulnerability and the discovery process, as disclosure is also about spreading knowledge so others can learn from it. Sometimes agreements are made, preventing public disclosure. However, in a CVD process, a researcher is reaching out to help with no real gain for themselves, making it difficult to force terms, such as a non-disclosure agreement onto them. Another advantage of allowing the public disclosure of a successful CVD process is that you can show to the world you take security reports seriously and act on them.
To sum up, we believe that the disclosure process should mean working together with the reporter to remediate the found issues, and both parties, the reporter and the recipient, have to show cooperation and adhere to the agreed guideline!