Thanks to recent work, particularly by the Dutch National Cyber Security Centre, the processes that result in successful discovery and reporting of software vulnerabilities are reasonably well understood. For those processes to work, though, potentially tricky human interactions need to be negotiated: discoverers don’t know whether they will be regarded as helpers, criminals or sources of offensive weapons; organisations distributing or using vulnerable software need to resist the urge to shout at the researcher who has just found a crack in their prized possession. Eireann Leverett and Marie Moe discussed their own experiences as, respectively, security researcher and vulnerability coordinator at last week’s FIRST conference.
As in any interaction between humans, the first few exchanges are critical to establishing a successful relationship. Both sides need to make their professionalism and expertise clear, as well as determining that both have something to gain from continuing the conversations. In the security community, responding promptly and making proper use of encryption are important signals. If I send you an encrypted message and you reply in clear text, you’re putting your reputation and, perhaps, my safety at risk, not just the message content. But it’s also important to get the human issues right – a reporter who just says “these systems are vulnerable” without giving the recipient sufficient information to discuss the severity of the vulnerability with system owners, or a recipient who doesn’t provide regular positive (or negative, if appropriate) feedback can easily, and probably unintentionally, create the impression that the conversation is a waste of time. The aim should always be to provide information that can, and will, be acted on. Reporters expect to talk to someone with both technical security expertise and authority – if the initial contact comes to the wrong person in an organisation, it needs to be passed on quickly or else the opportunity to fix insecure systems may be lost. Offering a face-to-face or telephone meeting shows that you are taking the issue, and the other party, seriously.
Once trusted communications have been established and the initial information exchanged, a professional reporter may be able to provide more help. The appropriate process was characterised as “assisted discovery”: the affected organisation needs to establish the severity and appropriate response for itself, but the reporter can help them to avoid jumping to conclusions (either over-optimistic or over-pessimistic) and to identify the appropriate remedy. A researcher who has discovered a vulnerability will often have a good idea where traces of others exploiting that vulnerability might be found or what temporary measures might mitigate it until a permanent fix is deployed. These discussions may well follow different paths (and take place at different emotional levels) depending on whether the report is of a vulnerability that might cause problems for the organisation, a compromise that already is causing it problems, or a security issue (for example a website serving malware) that the organisation is causing for others. But when a reporter wants to “make us a success story”, organisations should do their best to oblige.