Operationalizing international cybersecurity norms: Vulnerability disclosure policies

Last month, the Cybersecurity Tech Accord joined the United Nations Institute for Disarmament Research (UNIDIR) at an event that explored different approaches to vulnerability disclosure, bringing together government, industry, and civil society representatives in doing so. The gathering was organized against the backdrop of the 2015 report of the United Nations Group of Governmental Experts in the field of information and telecommunications in the international security, which called on states to “encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure”.

At the event, Cybersecurity Tech Accord signatories Microsoft, Safe PC Cloud, and Panasonic discussed how to best operationalize this international cybersecurity norm, focusing on key concepts at the heart of vulnerability disclosure, such as “risk management” and “zero days.” In addition, panelists highlighted crucial issues related to vulnerability disclosure, including difficulties in identifying the relevant stakeholders involved in the vulnerability disclosure process as well as the need to challenge preconceived notions about who has responsibilities when it comes to vulnerability handling. On the latter, in particular, participants emphasized that, in today’s context, the concept of a “vendor” might well include entities and individuals as varied as car manufacturers, researchers, and even a child that stumbles upon a vulnerability whilst attempting to cheat parental controls on an Xbox.

The discussion also acknowledged that the technology industry has core key responsibility for securing their systems, both at the development stage of products and services, as well as when identifying and managing any vulnerabilities in their systems. This responsibility is in fact reflected in the Cybersecurity Tech Accord’s first principle – a commitment by signatories to design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability. This in turn reduces the likelihood, frequency, exploitability, and severity of vulnerabilities in our products and services. In upholding this principle, since 2018 the group has encouraged the adoption of  vulnerability disclosure policies throughout the technology industry as a best practice, and has advanced the implementation of such policies among signatories in particular.

As of today, 75 of our signatories have a vulnerability disclosure policy in place, with an objective to see the rest of the group to follow suit. These signatory policies on vulnerability handling, as well as relevant contacts, are now easily found in a dedicated section on our website, which will continue to be updated in the coming months as new signatories adopt their own policies to address this issue. We hope that this centralized resource will serve as an example to the industry more broadly, encouraging them to adopt their own vulnerability disclosure policies, as well as prove a useful tool for security researchers.

The role of governments in driving greater awareness and encouraging the adoption of good practices in this space was also touched on at the UNIDIR event. In particular, attendees emphasized the need to ensure that security researchers are protected from prosecution when they discover and report vulnerabilities. The adoption of vulnerability policies for government systems, as well as the amplification of mitigation techniques in coordination with vendors, were also suggested as helpful tools to drive greater awareness. Finally, vulnerability equities processes to limit the stockpiling of vulnerabilities, such as the ones adopted by the UK and US governments, were highlighted as practices for other governments to emulate. In line with the Cybersecurity Tech Accord’s earlier call, it was recommended that these policies (i) presume disclosure as the starting point, (ii) be as transparent as possible, (iii) include stakeholders from economic, consumer, and diplomatic circles, as opposed to simply the national security community, and (iv) apply to all government-held vulnerabilities.

The signatories of the Cybersecurity Tech Accord have always believed that protecting cyberspace requires robust collaboration between the government and private sectors. When the government approach to vulnerability handling favors stockpiling over disclosure, this critical collaboration is weakened, and we jeopardize public trust in cyberspace. Similarly, it is critical that private sector actors act responsibly when notified of vulnerabilities. As the largest coalition of global technology firms dedicated to improving the cybersecurity ecosystem, the commitment to see all signatories adopt vulnerability handling policies is a significant step forward and the group will continue to contribute to enhancing cybersecurity awareness and promoting cybersecurity best practices globally.  In addition to the immediate benefits accrued to our respective users and customers, we also hope that supporting and implementing such policies sets an example for other technology companies around the world seeking to employ responsible best practices to improve security.