Ethics, Responsibilities, Vulnerabilities

by Art Manion, Serge Droz and Jeroen van der Ham Monday, May 18th, 2020

Coordinated Vulnerability disclosure is hard. This is particularly true if multiple parties are involved. FIRST is helping with ethical and practical guidelines.

The story of FIRST begins more than thirty years ago, when Robert Morris found a vulnerability in sendmail and created his famous worm that brought the Internet to a grinding halt. Shortly thereafter, as a direct result of this event, the first incident response teams and FIRST were founded. Much has changed meanwhile. Today we are in a much better position to handle such events. But what has remained since then is the challenge to properly handle vulnerabilities. It all sounds simple: If someone finds a vulnerability, he or she just reports it, and the vendor fixes it, problem solved.

Unfortunately it’s not that simple. First off there are many stakeholders with different interests. Users focus on patching and mitigation to defend their networks. Vendors and developers also want to protect their users, but balance development resources and other business interests. Supply chain and lifecycle concerns are increasingly important factors adding complexity in multi-vendor, multi-party disclosures. Researchers care about general security, sometimes seeking to bolster their reputations in the process. Governments often focus on national protection and public safety, but also have competing interests in vulnerabilities remaining unfixed for offensive operations.

As a community including both CSIRTs and PSIRTs, FIRST members are well-positioned to help de-escalate and normalize vulnerability handling and coordinated vulnerability disclosure.

The discussion about handling vulnerabilities is ongoing and happens at all levels. The United Nations Governmental Group of Experts recommended in their 2015 consensus report: States should encourage responsible reporting of ICT vulnerabilities and should share remedies to these.

While a step in the right direction, it’s far from clear what this means, and in particular how it applies to non-state actors, such as vendors or security researchers. One of the challenges is that we often face dilemmas handling vulnerabilities. An informal industry standard is to report a vulnerability to the vendor and wait 90 days to fix the problem before publishing details. But what if the vulnerability can’t be fixed easily, or the vendor does not respond? What if dozens, or hundreds of vendors are affected?

Several organisations are tackling this problem: UNIDIR conducted a workshop Operationalising Cyber Norms: Multi-stakeholder Approaches to Responsible Vulnerabilities Disclosure while the OECD is working on updating its guidance to Digital Security Risk Management. FIRST is proud to participate in both of these initiatives.

FIRST members are often faced with dilemmas, and thus the Ethics SIG has started to develop a Code of Ethics. It contains a set of guiding principles, with the overarching goal of increasing trust and minimising harm. Specifically it recommends to “follow coordinated vulnerability disclosure by cooperating with stakeholders to remediate the security vulnerability and minimize harm associated with disclosure”. The Code accepts that often optimal solutions for all stakeholders are not available.

The FIRST Vulnerability Coordination Special interest group (SIG) translates these guiding principles into practical recommendations for dealing with vulnerability disclosure. These guidelines help affected parties to react appropriately. The SIG consists of practitioners from private industry, academia and governments with years of experience in dealing with vulnerabilities.

For example the “Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure” have just been updated to version 1.1. The document addresses all stakeholders and provides real live examples and best practices.

The topic of vulnerability disclosure—particularly multi-party disclosure—is too complex to come up with a “one size fits all” solution. FIRST recommends that organisations dealing with responsible vulnerability disclosure use the materials that are offered to come up with their own process that fits their situation. FIRST invites them to discuss their experiences with members so that together they improve on the materials FIRST makes available.These documents are regularly updated by practitioners and provide valuable guidance.

For example Kasperky’s recently published Responsible vulnerability disclosure: ethical principles was written with these materials in mind.

If you are interested in participating in either the Ethics or the Vulnerability Coordination SIGs, or have any other question, please reach out to first-sec@first.org.