Vulnerability Disclosure Programs; Device Makers Take Note
December 15, 2016
The security of IoT devices has been on people’s minds, with many in government concerned role. Policy makers and innovators have struggled with how to deal with vulnerabilities discovered by third parties.
The National Telecommunications and Information Association (NTIA) convened a multi-stakeholder process to look at the pros and cons of public disclosure and various private efforts to manage vulnerabilities. Today, its effort yielded several documents, two of which are open for public comment. These documents touch on complex issues that companies face, and reflect the normative judgments of the participants to date. Overall, they promote disclosure programs, but may be improved by additional perspectives on risk and business decision making.
- Vulnerability Disclosure Attitudes and Actions: A Research Report. This report reflects perceptions and expectations of the researcher community and vendors that interact with them. One takeaway is that 95% of researchers expect “that technology providers and operators will provide notification to the security researcher” when an identified issue is resolved.” And 60% of respondents claimed to fear “they may be subject to legal proceedings if they disclose their work.” The vendor and operator survey found a “vast gulf between more mature and less mature companies” and focused on perceived benefits from such programs, but did not delve into the tradeoffs or dangers related to disclosure programs.
- A template for Coordinated Vulnerability Disclosures. This template offers sample policies and approaches, with some tradeoffs identified. The issues identified take certain preferences for granted, however, and the document does not grapple with the internal costs and considerations that will come with a program, such as the manpower needed to manage reports, how to resolve or close out reports, and whether a company might want to maintain privilege over its treatment of reports. The working group is seeking comment on the template; comments can be sent to firstname.lastname@example.org, with a deadline of February 15, 2017.
- A draft of Guidelines and Practices for Multi-Party Vulnerability Coordination. It offers five use cases and several variants, along with a “collection of best current practices” for complex scenarios involving “vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time.” The complex draft offers numerous diagrams and flow charts, but may oversimplify some challenges. For example, it identifies three “causes” for a device being shipped before a vulnerability is discovered or fixed: it is “not well tested,” the product “is deployed too soon,” or it “is deployed with known vulnerabilities.” It does not note that even good faith, robust testing can fail to detect all issues. This document is open to public comment through January 31, 2017.
IoT innovators and others in the technology space should keep these efforts in mind, because they may be expected to adopt a program to address vulnerabilities and their disclosure.