The importance of vulnerability disclosure policies

The primary motivation for the companies that have signed the Cybersecurity Tech Accord has always been the protection of our users and customers around the world. This is reflected within our very first principle, which highlights the importance of neutrality of that approach, both in terms of whom we strive to protect and who we strive to protect from. This principle also commits us to design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, which in turn reduces the likelihood, frequency, exploitability, and severity of vulnerabilities in our products.

In keeping with this principle, one of the first actions the group took together in 2018 was to call on the technology industry to adopt  vulnerability disclosure policies, and to highlight the work done by the Global Forum on Cybersecurity Expertise (GFCE) to provide helpful guidance in this regard. We recently followed up on that call with an announcement that all Cybersecurity Tech Accord signatories will have a vulnerability disclosure policy in place by the end of this year. Having such a policy in place ensures that once a vulnerability has been identified, any risk or potential harm to users can be minimized.

We are not alone in recognizing that such policies are important, governments have also started pushing organizations to adopt vulnerability disclosure policies. The new European Union Agency for Cybersecurity was recently tasked with assisting Member States and EU institutions, agencies and bodies in establishing and implementing vulnerability disclosure policies on a voluntary basis, as well as with increasing the cooperation between technology vendors and the cybersecurity research community as part of this effort. Going a step further, in the United States, the Internet of Things Cybersecurity Improvement Act would establish a vulnerability disclosure process for internet-connected devices and prohibit government agencies from buying devices from vendors that do not have such a policy in place. Finally, the most recent proposal on this topic, the Chinese Ministry of Industry and Information Technology’s (MIIT) provisions on Coordinated Vulnerability Disclosure, would be the most prescriptive and mandate a particular vulnerability disclosure policy.

The signatories of the Cybersecurity Tech Accord come from across the technology industry, bringing together hardware providers, security vendors, cloud computing companies, chip manufacturers, security service providers, social media and social networking services, and companies that do all of the above. As a result, our companies have experiences working on security vulnerability remediation from different perspectives, not only from different parts of the industry, but in different roles: as vendors, participants in the process, and reporters of vulnerabilities. This was one of the reasons why we have opted to promote different good practices rather than a particular vulnerability disclosure policy. These include the work of the GFCE referenced above, widely adopted international standards such as ISO/IEC DIS 30111 and ISO/IEC 29147, and the work of ICASI in this space.  It is clear to us that while a successful vulnerability disclosure policy codifies a straightforward, multi-step process through which stakeholders identify, develop, validate, distribute, and deploy mitigations, the process itself can, and often does, have significant operational and legal complexities that will differ based on context.

A few of these good practices deserve to be called out and encouraged.

Given the complexities involved, we recommend that no strict deadlines are set by governments for remediations to be issued. It is vital that vendors are not constrained by well-intentioned but inflexible deadlines, allowing them to address the vulnerabilities that pose the greatest risk first, rather than tackle them in a chronological order. Moreover, delivering effective mitigations requires testing the proposed measures, which can be especially time intensive for hardware or software systems that must interoperate with many other programs and applications. This process must be thorough to ensure that deployment of patches or other mitigating measures do not create operational challenges for users, potentially delaying deployment, or undermining user trust in fixes.

By keeping the number of entities that need to be aware of vulnerability to a minimum, we can further reduce the risk of it being exploited before a solution is available. Those who discover the vulnerability should ideally report the relevant information to the impacted vendor directly, who is best-positioned to lead subsequent coordination efforts, validate the vulnerability and finally develop remediations and remediation delivery processes.

While it is good to keep the number of entities involved to a minimum, proper communication among those included is perhaps the most important element of any vulnerability disclosure policy. Responsive acknowledgment and, as needed, ongoing dialogue between reporters of vulnerabilities and vendors working to investigate and fix them can increase trust and decrease uncertainty, making collaboration and prioritization of user safety more straightforward. In addition to that, assume that anyone that has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and wishes to reduce any threat posed. On that basis, companies should consider adopting a vulnerability disclosure safe harbor policy that commits them not to pursue criminal or civil actions for good-faith or accidental violations of their disclosure process.

No two vulnerabilities are alike; some have simple fixes, while others are extremely complex and require coordination throughout a supply chain.  Keeping in mind the first point above to address a vulnerability in a timely manner, the need for flexibility is nonetheless essential and widely recognized by entities like ISO/IEC and CERT/CC and should be a grounding principle in any government policy on this issue.