Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

To Share or Not to Share: The Security Researcher’s Dilemma

The End User Community is at the Mercy of Security Researchers to Act Responsibly

The End User Community is at the Mercy of Security Researchers to Act Responsibly

This year’s WannaCry ransomware attack as well as the massive Equifax data breach have highlighted the need for threat information sharing, security research collaboration, and open source security tools development. With any of these endeavors, there is always an inherent risk that information being disseminated to security professionals for defensive purposes could potentially be used by bad actors for nefarious uses. 

According to analyst firm Gartner (State of the Threat Landscape, 2017 by Greg Young) through the year 2020, 99 percent of vulnerabilities exploited will be known by security and IT professionals. This was the case in the Equifax data breach, whereby the attackers exploited a known vulnerability in the Apache Struts Web application software, a widely used enterprise platform. The Apache Software Foundation had made a patch available in March, giving the credit-reporting mammoth more than two months to take preventive measures that would have minimized the risk of exposure. 

So what steps can security researchers take to mitigate the risk of their findings and code being misused?

Security Vulnerability DisclosureAs part of their work, security researchers often compromise (i.e., hack) the defense mechanisms of a computer, network, or software system to prove that a given attack is possible and find a way to remediate the vulnerability before bad actors can exploit it. By publishing their research findings and associated exploits, researchers run the risk of their code being used by cyber criminals to create new exploits or finding its way into malicious tools.

To minimize the risk of being held responsible for someone misusing their research findings, the security research community has been applying two primary disclosure models:  

Under the full disclosure approach, security researchers publish the details of newly identified vulnerabilities as early as possible and make the information available to everyone without any restrictions, which typically includes publicly releasing it (inclusive of exploits created for a proof-of-concept) through online forums or websites. Proponents of the full disclosure approach argue that potential victims of a previously unknown vulnerability should have the same information as the attackers that can exploit it. 

An alternative approach, which is supported by most of the ISV community, CERT, and SANS Institute, is responsible disclosure. This approach takes a more collaborative stand, whereby the security researcher submits a vulnerability advisory report to the vendor, which documents the location of the vulnerability using screenshots or pieces of the code, supporting evidence, and may include a repeatable proof-of-concept attack to assist in testing a resolution. After submitting the report to the vendor using the most secure means possible (e.g., as an encrypted email), the researcher typically allows the vendor a reasonable amount of time to investigate and fix the vulnerability. Once a patch is available or the disclosure timeline has elapsed, the researcher will publish an analysis of his/her findings. 

In this context, CERT recommends not disclosing the exploit itself since their position is the number of people who can benefit from access to an exploit is small compared to the number of people who can be harmed if it is weaponized. The objective of the responsible disclosure approach is to balance the need of the public to be informed of security vulnerabilities with vendors’ need for time to respond effectively. While a consensus on what represents a “reasonable amount of disclosure time” has not been reached, the majority of security researchers follow CERT’s recommended waiting period of 45 days.

Advertisement. Scroll to continue reading.

Given the number of significant vulnerabilities being discovered in software on a daily and weekly basis, it’s clear that the end user community is at the mercy of security researchers to act responsibly in order to limit the potential for their findings to be used for malicious purposes. The increasing use of bug-bounty programs by the vendor community and greater frequency of penetration testing by end user organizations can further assist in discovering certain vulnerabilities before they become public. 

However, identifying vulnerabilities is only half the battle. Fixing them is a bigger challenge. That’s why Gartner states that “the single most impactful enterprise activity to improve security will be patching.” 

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.