Cybersecurity Tech Accord comments on OECD work on Responsible Management and Disclosure of Vulnerabilities

Dear Mr. Bernat,

Thank you very much for the opportunity to provide comments on the preliminary outline of work of the OECD Working Party on Security in the Digital Economy on Responsible Management and Disclosure of Vulnerabilities. The Cybersecurity Tech Accord signatories believe this is an important initiative that has the potential to bring together industry, civil society, and government in agreement and in promotion of good practices that will improve digital security for us all.

The Cybersecurity Tech Accord is a public commitment and coalition of now more 100 global technology companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace. The primary motivation for companies that have signed the Cybersecurity Tech Accord has always been the protection of users and customers around the world. This commitment is reflected within our very first principle – We will protect all of our users and customers everywhere – which highlights the importance of neutrality, both in terms of who we strive to protect and  from whom we strive to protect them. This principle also commits us to design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, which in turn reduces the likelihood, frequency, exploitability, and severity of vulnerabilities in our products.

In keeping with this principle, one of the first actions the group took together in 2018 was to call on the technology industry to adopt vulnerability disclosure policies, and to highlight the work done by the Global Forum on Cybersecurity Expertise (GFCE) to provide helpful guidance in this regard. We recently followed up on that call with an announcement that all Cybersecurity Tech Accord signatories will have their own vulnerability disclosure policy in place. Having such a policy sets a plan of action to ensure that once a vulnerability has been identified, any risk or potential harm to users can be efficiently mitigated.

The signatories of the Cybersecurity Tech Accord come from across the technology industry, including hardware providers, security vendors, cloud computing companies, chip manufacturers, security service providers, social media companies, as well as companies that do all of the above. As a result, our signatories have experiences working on security vulnerability remediation from different perspectives, from different parts of the industry, as well as in different roles: as vendors, as participants in the process, and as reporters of vulnerabilities. This diversity is one of the reasons we have opted to promote different good practices rather than a particular vulnerability disclosure policy. These good practices are included the work of the GFCE referenced above, widely adopted international standards such as ISO/IEC DIS 30111 and ISO/IEC 29147, and the work of ICASI. It is clear to us that while a successful vulnerability disclosure policy codifies a straightforward, multi-step process through which stakeholders identify, develop, validate, distribute, and deploy mitigations, the process itself can, and often does, have significant operational and legal complexities that necessarily differ based on context.

While we provide detailed comments in the margins of the Working Party document itself, we wanted to highlight a few of the particular recommendations that we believe would improve the approach the OECD is proposing: 

  • “Coordinated” and “responsible” vulnerability management in the cybersecurity community carry different implications and can represent two distinct approaches. We would therefore recommend using a more neutral term throughout the document to avoid confusion, and to be sure to avoid using the two terms interchangeably. In line with that we would recommend that a clear terminology is used throughout the document; i.e. by sticking to “finder” throughout and not occasionally using “discoverer” instead. Furthermore, we would recommend that a glossary of terms introduced early in the document, as some of the terms that are used early on are only explained towards the end, for example the coordinated vulnerability disclosure.
  • The importance of risk management when it comes to patching vulnerabilities needs to be highlighted. We believe that risk management in this context is currently poorly understood, in particular as it relates to the impact on the time that may be needed to issue a patch. For example, vendors may have more than one vulnerability disclosed to them within the same time period and limited resources available to develop fixes. Solutions in such a situation would need to be prioritized and could be difficult to implement requiring the vendor to take more time.
  • Similarly, the OECD’s work on vulnerability management presents a useful opportunity to clarify what a “vendor” is in this context. Not only would it be important to ensure that the text differentiates between the types of vendors providing a service – software or hardware – more critically, it would be helpful to drive awareness of the fact that, in 2020, vendors are often not traditional technology players. Given the proliferation of networked devices, vendors today will include many companies not previously associated with the technology industry at all.
  • It would be important for the document to also underline the role of governments in this space, not just in creating a positive legal environment that allows for reporting of vulnerability to vendors, but in relation to their increased desire to retain vulnerabilities for offensive military and other purposes of statecraft. The Cybersecurity Tech Accord signatories welcome initiatives, such as the US Vulnerability Equities Process, which put forward a decision making framework for governments when it comes to vulnerability retention, and have put forward a set of recommendations that builds on such efforts.
  • The Cybersecurity Tech Accord signatories also believe open source warrants a mention in this document.
  • Finally, the role of users when it comes to vulnerability management needs to be addressed in the document. Users play a critical role in selecting products and services that have been designed securely, discontinuing the use of products and services that are no longer supported by vendors, as well as, and most importantly, applying the patches that are issued promptly.

We would like to once again thank you for the opportunity to provide comments on the work of the Working Party on Security in the Digital Economy on Responsible Management and Disclosure of Vulnerabilities. We believe the OECD has an essential role to play in enhancing cybersecurity not solely for the countries that are members of the organization, but for the world. We therefore look forward to subsequent opportunities to work together and provide further input and guidance on issues related to cybersecurity. Should you have any questions that emerge based on our input, please do not hesitate to contact the Cybersecurity Tech Accord through our Secretariat.