When a security researcher discovers a vulnerability, it becomes their responsibility to decide in which manner they will be disclosing the information. The three main types of vulnerability disclosure are responsible disclosure (also referred to as coordinated disclosure), full disclosure, and non-disclosure. It is largely debated what the “correct” method of disclosure is, whether it be responsible or full disclosure – while there are far less advocates of non-disclosure.
In short, the three types of disclosure are as follows:
Responsible disclosure – reporting to the organization directly
Full disclosure – reporting the vulnerability to the public
Non-disclosure – not reporting the vulnerability
When performing responsible disclosure, a security researcher would first make contact with the affected vendor to inform them of the vulnerability. This gives the vendor time to address the issue and push a corresponding patch before the public knows about it. Generally, there is an established grace period from the time of alerting the vendor to the time of reporting the vulnerability to a vulnerability inventory source, such as MITRE corporation, whether it be by the security researcher or the vendor itself.
The full disclosure process operates under the idea that information regarding vulnerabilities should be obtainable without restriction, to all, as soon as possible. This approach doesn’t give the vendor the ability to create a patch for the vulnerability prior to its disclosure. Rather, this method gives all users of the affected product the ability to secure their systems as soon as the vulnerability is known. In some cases, a researcher may not even submit to a vulnerability inventory and practice full disclosure via blog, conference, mailing lists, etc.
Non-disclosure is the far opposite of the previous two methods of disclosure. Instead, information regarding the vulnerability is not shared with the vendor or the public. Common reasons to practice non-disclosure are to exploit the flaw, to sell the vulnerability/exploit, or take no action under the belief that any information regarding a vulnerability can be used by malicious entities to further an attack.
Strong beliefs are present on both sides on whether a researcher should practice responsible disclosure or full disclosure. While there are many reasons for both, they can be boiled down to a couple main points. Those that believe in responsible disclosure believe that without the guidance of the vendor a user will not be able to properly secure their systems and practicing full disclosure will only be informing attackers, which is likely to cause harm. A supporter of responsible disclosure would also believe in giving the vendor appropriate time to develop a solution to the vulnerability. On the other side, supporters of full disclosure believe that a vendor may not feel pressured into creating such a solution unless the public is informed of the issue and requesting a patch. Those that practice full disclosure value information being given to all parties openly so actions to secure systems can be taken as quickly as possible.
It is important for an organization to be well informed of newly discovered vulnerabilities in their systems and products. To do so, an organization must be able to gather information of a vulnerability from all potential methods of disclosure. This will require an organization to continuously check various sources for the presence of newly disclosed vulnerability information (from researchers practicing full disclosure) to stay well informed.
Additionally, to be able to accept information from researchers wishing to practice responsible disclosure a company should establish a vulnerability disclosure policy. A vulnerability disclosure policy will give guidance to vulnerability researchers and outline the process in which they should be reporting the vulnerability to the organization.
For assistance developing a vulnerability disclosure policy please contact OCD Tech, or email me at [email protected]
