Companies and researchers coordinating on disclosure – 451 Research
Application security testing (AST) provider Veracode has today released results of a global survey on software vulnerability disclosure, Exploring Coordinated Disclosure, that examines the attitudes, policies and expectations associated with how organisations and external security researchers work together when vulnerabilities are identified.
The study reveals that today, software companies and security researchers are near-universal in their belief that disclosing vulnerabilities to improve software security is good for everyone.
The report found 90% of respondents confirmed disclosing vulnerabilities “publicly serves a broader purpose of improving how software is developed, used and fixed.”
This represents an inflection point in the software industry – the recognition that unaddressed vulnerabilities create an enormous risk of negative consequences to business interests, consumers, and even global economic stability.
“The alignment that the study reveals is very positive,” says Veracode chief technology officer and co-founder Chris Wysopal.
“The challenge, however, is that vulnerability disclosure policies are wildly inconsistent. If researchers are unsure how to proceed when they find a vulnerability it leaves organisations exposed to security threats giving criminals a chance to exploit these vulnerabilities.
“Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organisation’s security strategy and allows researchers to work with an organisation to reduce its exposure,” he says.
“A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.”
Key findings of the research include:
- Unsolicited vulnerability disclosures happen regularly. The report found more than one-third of companies received an unsolicited vulnerability disclosure report in the past 12 months, representing an opportunity to work together with the reporting party to fix the vulnerability and then disclose it, thus improving overall security. For those organisations that received an unsolicited vulnerability report, 90% of vulnerabilities were disclosed in a coordinated fashion between security researchers and the organisation. This is evidence of a significant shift in mindset that working collaboratively is the most effective approach toward transparency and improved security.
- Security researchers are motivated by the greater good. The study shows security researchers are generally reasonable and motivated by a desire to improve security for the greater good. Fifty-seven percent of researchers expect to be told when a vulnerability is fixed, 47% expect regular updates on the correction, and 37% expect to validate the fix. Only 18% of respondents expect to be paid and just 16% expect recognition for their finding.
- Organisations will collaborate to solve issues. Promisingly, three in four companies report having an established method for receiving a report from a security researcher and 71% of developers feel that security researchers should be able to do unsolicited testing. This may seem counterintuitive since developers would be most impacted in having their workflow interrupted to make an emergency fix, yet the data show developers view coordinated disclosure as part of their secure development process, expect to have their work tested outside the organisation, and are ready to respond to problems that are identified.
- Security researchers’ expectations for remediation time aren’t always realistic. After reporting a vulnerability, the data shows 65% of security researchers expect a fix in less than 60 days. That timeline might be too aggressive and even unrealistic when weighed against the most recent Veracode report, which found more than 70% of all flaws remain one month after discovery and nearly 55% remain three months after discovery. The research shows that organisations are dedicated to fixing and responsibly disclosing flaws and they must be given reasonable time to do so.
- Bug bounties aren’t a panacea. Bug bounty programs get the lion’s share of attention related to disclosure but the lure of a payday actually is not driving most disclosures, according to the research. Nearly half (47%) of organisations have implemented bug bounty programs but just 19% of vulnerability reports come via these programs. While they can be part of an overarching security strategy, bug bounties often prove inefficient and expensive. Given that the majority of security researchers are primarily motivated by seeing a vulnerability fixed rather than money, organisations should consider focusing their finite resources on secure software development that finds vulnerabilities within the software development lifecycle.
To gather relevant data for this report, 451 Research conducted survey commissioned by Veracode from December 2018 to January 2019 using a representative sample of 1,000 respondents across a range of industries and organisation sizes in the US, Germany, France, Italy and the UK.
Survey respondents reported enterprise roles such as application development, infrastructure and information security, as well as security consultants, third-party vulnerability assessors or penetration testers, and independent security researchers.
Respondents were required to have an average to high level of familiarity with vulnerability disclosure models to participate.