Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

To Share or Not to Share: The Security Researcher’s Dilemma

The End User Community is at the Mercy of Security Researchers to Act Responsibly

The End User Community is at the Mercy of Security Researchers to Act Responsibly

This year’s WannaCry ransomware attack as well as the massive Equifax data breach have highlighted the need for threat information sharing, security research collaboration, and open source security tools development. With any of these endeavors, there is always an inherent risk that information being disseminated to security professionals for defensive purposes could potentially be used by bad actors for nefarious uses. 

According to analyst firm Gartner (State of the Threat Landscape, 2017 by Greg Young) through the year 2020, 99 percent of vulnerabilities exploited will be known by security and IT professionals. This was the case in the Equifax data breach, whereby the attackers exploited a known vulnerability in the Apache Struts Web application software, a widely used enterprise platform. The Apache Software Foundation had made a patch available in March, giving the credit-reporting mammoth more than two months to take preventive measures that would have minimized the risk of exposure. 

So what steps can security researchers take to mitigate the risk of their findings and code being misused?

Security Vulnerability DisclosureAs part of their work, security researchers often compromise (i.e., hack) the defense mechanisms of a computer, network, or software system to prove that a given attack is possible and find a way to remediate the vulnerability before bad actors can exploit it. By publishing their research findings and associated exploits, researchers run the risk of their code being used by cyber criminals to create new exploits or finding its way into malicious tools.

To minimize the risk of being held responsible for someone misusing their research findings, the security research community has been applying two primary disclosure models:  

Under the full disclosure approach, security researchers publish the details of newly identified vulnerabilities as early as possible and make the information available to everyone without any restrictions, which typically includes publicly releasing it (inclusive of exploits created for a proof-of-concept) through online forums or websites. Proponents of the full disclosure approach argue that potential victims of a previously unknown vulnerability should have the same information as the attackers that can exploit it. 

An alternative approach, which is supported by most of the ISV community, CERT, and SANS Institute, is responsible disclosure. This approach takes a more collaborative stand, whereby the security researcher submits a vulnerability advisory report to the vendor, which documents the location of the vulnerability using screenshots or pieces of the code, supporting evidence, and may include a repeatable proof-of-concept attack to assist in testing a resolution. After submitting the report to the vendor using the most secure means possible (e.g., as an encrypted email), the researcher typically allows the vendor a reasonable amount of time to investigate and fix the vulnerability. Once a patch is available or the disclosure timeline has elapsed, the researcher will publish an analysis of his/her findings. 

In this context, CERT recommends not disclosing the exploit itself since their position is the number of people who can benefit from access to an exploit is small compared to the number of people who can be harmed if it is weaponized. The objective of the responsible disclosure approach is to balance the need of the public to be informed of security vulnerabilities with vendors’ need for time to respond effectively. While a consensus on what represents a “reasonable amount of disclosure time” has not been reached, the majority of security researchers follow CERT’s recommended waiting period of 45 days.

Given the number of significant vulnerabilities being discovered in software on a daily and weekly basis, it’s clear that the end user community is at the mercy of security researchers to act responsibly in order to limit the potential for their findings to be used for malicious purposes. The increasing use of bug-bounty programs by the vendor community and greater frequency of penetration testing by end user organizations can further assist in discovering certain vulnerabilities before they become public. 

However, identifying vulnerabilities is only half the battle. Fixing them is a bigger challenge. That’s why Gartner states that “the single most impactful enterprise activity to improve security will be patching.” 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.