fbpx
“Security vulnerabilities are discovered all the time and people want to be able to report them directly to the organization responsible. These reports can provide you with valuable information that you can use to improve the security of your systems. It really is in your best interest to encourage vulnerability disclosure.”

Vulnerability Disclosure: How it Works

Security holes in software and network devices are discovered by:
  • Security researchers: These are people who work for large and small businesses and who work on their own.
  • Malicious hackers: They tend to not disclose vulnerabilities to the public because they want to use them to gain access.
  • Vendors themselves: The individuals and companies who make software will often find a security hole in their own products and release a fix.
The way the public is told about vulnerabilities is called ‘disclosure‘ or ‘vulnerability disclosure‘. It is a controversial subject and is constantly being debated. Most vulnerabilities that are disclosed publicly are discovered by security researchers.
 
The steps they take to disclose a vulnerability to the vendor (software maker) and then the public are usually as follows:
  1. The researcher discovers the vulnerability. At this point the Window Of Vulnerability (WoV) time-frame begins. The vulnerability is also known as a Zero Day at this point.
  2. The researcher contacts the vendor privately and lets them know that they have a security problem and supplies the details. At this point the vulnerability is confidential and it stops being a Zero Day. However, the WoV is still open.
  3. The vendor and researcher will then agree that the vendor has a certain amount of time to fix the vulnerability before the researcher releases details to the public. This can range from a few days to several months. They may also agree to an open time-frame where the researcher will only let the public know when the vendor says they’re ready.
  4. The vendor will then release a fix to their customers. For example, Microsoft will release a new version of Internet Explorer which contains a security fix. At this point the WoV closes because a fix is now available to customers who use the software.
  5. Once the fix has been released and the customers have had enough time to upgrade, the researcher will release full details of the vulnerability to the public.
You might ask why a researcher would want to release the full details of a security hole or vulnerability to the public at all. Security researchers make their living through consulting and selling security products and services.
 
Doing security research costs them time and resources. They need to be compensated for this investment and by announcing to the world that they discovered an important vulnerability it helps market their products and services.
 
Releasing full technical details of a vulnerability by a researcher illustrates the great work that they’re capable of and helps them cover their expenses, make a living and helps fund future research.
 
Important to Note:
 
You can see the newest announced vulnerabilities by subscribing to email lists like ‘Full Disclosure’. Sometimes vulnerabilities are not shared with a vendor and are simply released to the public as a Zero Day. When this happens you are in a situation where an active Zero Day is ‘in the wild’ (known to hackers) and a fix is not available.
 
Deal with these as you would with any Zero Day vulnerability . Researchers may also not give vendors much time to fix a vulnerability before announcing it to the public. In this case you need to immediately upgrade to the newest version of the affected software as soon as a fix is released to minimize risk to your website.
 
On December 2, 2019, CISA (Cybersecurity and Infrastructure Security Agency), the U.S cybersecurity agency, has recently proposed a new policy for all agencies. They have issued a draft directive for all agencies to develop and publish vulnerability disclosure of policies mandatorily.
 
In September, 2020, UK government has released a toolkit to easily disclose vulnerabilities by agencies and companies.
 
 

This Article Was Written & published by Meena R,  Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India. 

Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...

She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms. 

34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook. 

If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:

Click Here to follow her: Cybersecurity PRISM