In the new Work-From-Home world where non-essential companies have pivoted into a remote workforce model with increasing reliance on business tools that ensure connectivity, there is a growing concern that tools like Zoom may not be vetted to the full extent of their now-applicable use case. And even outside of work, with consumers turning away from gyms and malls and moving their children into virtual environments for schooling, the question remains as to when the cracks in the foundation will come to light, and who will shine the light on them to the companies who are the custodians of our new normal.
Vulnerability disclosures expose companies to unfamiliar and often uncomfortable terrain when they are unprepared to receive findings from white hat hackers as to vulnerabilities in their security posture. In an ideal world there is a synchronicity between the disclosures and expectations from security researchers and the consequent organizational response, on the receiving end of such information.
Bug disclosure programs may be the easiest way to navigate these waters, but not all companies are mature enough or have the resources to set these mechanisms in place. For those who don’t, there are free resources like Disclose.IO that allow companies to opt into and display their affinity for a safe-harbor disclosure framework that gives security researchers the confidence that their disclosures will be treated fairly by the companies receiving them. Similarly, following a system like CERT put forth by scholastic industry experts like Carnegie Mellon, can be the right path forward to ensure collaboration between hackers and companies. Afterall, on the other side of the house, security researchers may be wary to come forward with their findings when faced with unknown consequences for their research including lawsuits and charges stemming from potential violations of the Computer Fraud and Abuse Act.
Paul Hastings privacy and cybersecurity partner Aaron Charfoos has guided clients through cybersecurity vulnerability disclosures, including the Meltdown and Spectre computer chip vulnerabilities, supply chain interdictions, and various other matters, some of which have involved both congressional and regulatory investigations. He counsels that the incident response (IR) framework is the most helpful framework for companies to get the best outcomes in these situations. Everything that is brought to bear in IR, comes into play in this scenario. And companies who have committed to using such a framework and have run through tabletop exercises to ensure that they have the synchronicity and muscle memory to get through them in real-time will do best when presented with an actual situation in which their security or privacy postures are called into question.
Conversely, in order to better prepare themselves for the information exchange, security researchers should understand the complexity companies face when vulnerabilities are brought to their doorstep. An appreciation that companies which responsibly adjudicate disclosures of this nature are running their assessments and actions through a multilayer framework akin to IR means that cross-departmental stakeholders from across an entire organization are running a game-time analysis of regulatory disclosures, contractual obligations, reputational harm, and litigation, to name a few. Internet-facing business applications in particular pose existential risks to an organization if found to be deficient or insecure. And these issues can often take some time to fix.
Charfoos suggests that hackers who find vulnerabilities be reasonable in their approach and allow companies sufficient time to work through a solution that adequately addresses the vulnerabilities so that the products can be fixed appropriately and users can be informed in lockstep with a solution.
Specifically, when a breach occurs and an enterprise runs vulnerability disclosure through their IR framework, they are able to take initial steps of establishing severity to the findings and determining the proper outcomes. Further, if the enterprise can successfully work with the researcher on a coordinated release to the public (if that is the desired outcome), assuming no one else has operationalized the vulnerability in the wild, they can also reduce liability and gain the confidence of their board and shareholders. A coordinated disclosure done right may actually increase consumer confidence in a product.
Security researchers should understand that their research could lead to existential events for a company. While many security researchers are consumed with the technical prowess of the findings, they may not know how to get those findings into the hands of the right people at the company.
Charfoos suggests that when contacting the company, researchers should understand that alluding to going public with the vulnerabilities in a vacuum and without a coordinated approach will not always work in the favor for white hat security researchers looking to gain a good reputation in the industry. An important takeaway for those who come across a vulnerability, find the right person at the company to deliver it to. A big problem implicates putting it in the hands of an equally positioned player like the Chief Security Officer. But that person may not be easy to get in touch with, and rightly so. So in those situations and for companies that don’t have bug bounties or outward-facing responsible disclosure programs, contact the legal department. And if you can’t get there right away, start with customer service and work your way up.
Vulnerabilities originating from cyber threat intelligence or penetration testing by good samaritans and security experts can be rife with complexities and existential risks if not navigated properly. And with regulators like the FTC, FDA and Department of Justice increasingly taking a position on the expected role of corporations in meeting their cybersecurity obligations with vulnerability disclosure programs, at the end of the day, it makes sense for companies to encourage and have a defined intake approach to vulnerability disclosures from researchers to get these across the finish line together. After all, more than ever before, the integrity and security of our new normal depends on it.
For additional guidance to security researchers for next steps when reaching out directly to a company to disclose, check out Aaron’s guidance: