Nothing tends to get cybersecurity professionals more animated than the topic of vulnerability disclosures. At one end of the spectrum are cybersecurity professionals who feel these disclosures to more to help the enemy than the good. At the other end of the spectrum, there are plenty of cybersecurity professionals that feel most of these vulnerabilities are already known by someone quietly exploiting them for their own purposes. It’s in the best interest of the IT community for everyone to know what those vulnerabilities are as soon as possible.
At the recent RSA conference Tripwire, a provider of IT security and compliance software, explored this topic. A survey of 147 RSA attendees finds 32 percent of respondents say vendors should be given 60 days to fix a vulnerability before it gets disclosed. Another 15 percent said they should be given 90 days, while six percent said 120 days. But a quarter (25%) said vulnerability disclosures should not have to wait at all, while 20 percent said they should never be disclosed without a fix in place.
Of course, researchers that engage in vulnerability research can generate a lot of controversy. For example, when the Meltdown and Spectre flaws were disclosed there was clearly a significant amount of grandstanding. Survey respondents are equally split whether these activities should even be allowed. Half said people should not be allowed to test the security constraints of products and services without approval. The governor of Georgia apparently disagrees. A SB 315 law that would have banned good-faith cybersecurity research was vetoed this week Governor Nathan Deal.
Nevertheless, 53 percent say their organization does have an official channel for sharing vulnerabilities. Over a third (36%) says that have received unsolicited vulnerability reports, and 24 percent say there have been attempts to extort their organizations by individuals claiming to have discovered a vulnerability.
There’s no doubt vulnerability disclosure should be handled with great care. But cybersecurity professionals should also assume that cybercriminals now have extensive vulnerability research capabilities of their own that will only become more sophisticated as they leverage advances in machine learning algorithms and other forms of artificial intelligence. Cyber espionage organizations have already shown multiple times over how skilled they are at discovering vulnerabilities as well. We may be approaching a time when the only ones who don’t know about a specific vulnerability are the individuals tasked with securing that IT asset.
As a practical matter there’s not much to be done about researchers that want to invest their time in discovering vulnerabilities. But many companies provide monetary rewards to researchers that privately share what they discover. Other researchers, however, are clearly using their efforts as a marketing tool to drive demand for their future services.
However, the IT community may feel about these researchers it’s arguable most of them are still doing more good than harm. Most of the exploits cybercriminals rely on are well-known. The bigger issue is the inability of IT organizations to deploy patches in a timely manner to thwart attacks that take advantage of those well-known vulnerabilities. A vulnerability that’s not known to have being exploited yet isn’t going to be all that high a priority.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.