Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Responsible Disclosure – Critical for Security, Critical for Intelligence

Not Adhering to Responsible Disclosure has the Potential to Amplify the Threats Posed by Certain Vulnerabilities and Incidents

Not Adhering to Responsible Disclosure has the Potential to Amplify the Threats Posed by Certain Vulnerabilities and Incidents

As a company that delivers intelligence derived from the Deep & Dark Web, we come across everything from stolen data and insider recruitment to emerging cyber and physical threats on a daily basis. These observations also mean that often, we identify organizations’ security vulnerabilities, existing threats, and critical incidents before they do. While such scenarios are growing increasingly common among threat intelligence vendors, the industry as a whole has yet to standardize and enforce guidelines pertaining to what happens next. What exactly should you do after uncovering that, for instance, an organization is unknowingly infected with dangerous malware, has yet to discover a large-scale data breach, or has a zero-day vulnerability with the potential to harm its entire base of end-users? 

Responsible Vulnerability DisclosureWhile it can be tempting to disclose findings of this nature to the public immediately through the media or other marketing means — also known as “full disclosure” — doing so could exacerbate the circumstances for attack victims and their broader networks. The ramifications can be enormous, which is why it’s time for threat intelligence vendors to model themselves after security researchers and recognize the critical need for responsible disclosure.

Serious implications for safety and security

First and foremost, not adhering to responsible disclosure has the potential to amplify the threats posed by certain vulnerabilities and incidents. By publicly exposing a zero-day vulnerability without giving the affected company sufficient time to address it, you also expose the vulnerability to threat actors who could potentially take advantage of it before a patch becomes available. And given that a patch may not always be made available immediately, it’s even more crucial that knowledge of the vulnerability remain as restricted as possible from those with the potential to abuse it. 

Even in certain circumstances where knowledge of a vulnerability has already fallen into the wrong hands, public disclosure can be detrimental. For instance, let’s say you observe a small group of cybercriminals on an elite Dark Web forum discussing plans for exploiting a flaw in a popular mobile banking application. Suppose that this flaw would enable anyone to bypass the app’s anti-fraud measures, and as such, it renders the app’s entire end-user base extremely susceptible to fraud. While knowledge of the vulnerability was initially limited to a small group of elite cyber criminals, publicly disclosing it vastly increases the number of people able to abuse and capitalize on it, thereby rendering even more end-users susceptible. Such practices can be especially damaging in situations where the vulnerability affects the company’s critical systems, sensitive information, and/or broader network of stakeholders.  

The consequences of victim-shaming 

Aside from the security and safety implications of not adhering to responsible disclosure, such practices facilitate victim-shaming — to which numerous negative, widespread implications are inherent. First, victim-shaming can be a PR nightmare for the affected organization. An abundance of negative press and countless inquiries typically means that the organization may need to waste precious time and resources assuaging fears and responding — often without clear answers — to the media, customers, stakeholders, shareholders, and others. In many cases, bad PR of this nature can sensationalize the threat, vulnerability, or incident, leading to large-scale public overreaction with the potential to ripple outward even further and take more time and resources away from the affected organization. 

For the vendors whose disclosure of an organization’s sensitive information leads to unnecessary public outcry and/or victim-shaming, the consequences can be substantial. Regardless of whether this is the case, vendors who engage in such practices may appear to be hurting another brand’s reputation as a means of gaining media coverage, earning industry recognition, and building their own name. As threat intelligence vendors, we often face intense pressure and competition to be the first to release “breaking news” and identify critical information for the broader community. While public disclosure of certain vulnerabilities and affected organizations may be tempting for these reasons, it’s crucial to recognize that the potential negative fallout may be neither productive nor conducive to upholding the culture of security awareness we all strive for. 

Intelligent disclosure

Although security researchers have been key proponents of responsible disclosure for years, established practices and protocol are just beginning to gain traction among intelligence vendors. At Flashpoint, while our approach varies depending on the nature and severity of the threat posed by the vulnerability and/or incident, it’s always our first priority to notify the affected organization immediately. From there, we work with the organization to ensure that vulnerabilities have been addressed and threats mitigated; and in many cases, we can do so without ever naming the organization publicly. 

Often, responsible disclosure means announcing the key facts surrounding an incident — typically, what others need to know in order to protect themselves — without disclosing all of the unnecessary specifics. For instance, we may announce the ways in which a large healthcare organization on the west coast became the victim of ransomware, indicators of the specific strain of ransomware, and what other organizations can do to avoid a similar fate.

Under certain circumstances where our team feels that withholding the information could raise others’ risk levels substantially but will not exacerbate the threat, we do release it to the public — but in an informative way that answers all questions, explains the risk accurately, outlines any actions those affected may need to take. This type of disclosure ultimately saves the affected organization substantial time and resources by informing the public in an organized way. Ultimately, it’s our job to help our customers and the broader community protect themselves and mitigate risk — not expose them to more risk.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.