Vulnerability Disclosure Programs; Device Makers Take Note

December 15, 2016

The security of IoT devices has been on people’s minds, with many in government concerned role.  Policy makers and innovators have struggled with how to deal with vulnerabilities discovered by third parties. 

The National Telecommunications and Information Association (NTIA) convened a multi-stakeholder process to look at the pros and cons of public disclosure and various private efforts to manage vulnerabilities.  Today, its effort yielded several documents, two of which are open for public comment.  These documents touch on complex issues that companies face, and reflect the normative judgments of the participants to date.  Overall, they promote disclosure programs, but may be improved by additional perspectives on risk and business decision making. 

  • Vulnerability Disclosure Attitudes and Actions: A Research Report.  This report reflects perceptions and expectations of the researcher community and vendors that interact with them.  One takeaway is that 95% of researchers expect “that technology providers and operators will provide notification to the security researcher” when an identified issue is resolved.”  And 60% of respondents claimed to fear “they may be subject to legal proceedings if they disclose their work.”  The vendor and operator survey found a “vast gulf between more mature and less mature companies” and focused on perceived benefits from such programs, but did not delve into the tradeoffs or dangers related to disclosure programs.
  • A template for Coordinated Vulnerability Disclosures.  This template offers sample policies and approaches, with some tradeoffs identified.  The issues identified take certain preferences for granted, however, and the document does not grapple with the internal costs and considerations that will come with a program, such as the manpower needed to manage reports, how to resolve or close out reports, and whether a company might want to maintain privilege over its treatment of reports.  The working group is seeking comment on the template; comments can be sent to afriedman@ntia.doc.gov, with a deadline of February 15, 2017.
  • A draft of Guidelines and Practices for Multi-Party Vulnerability Coordination. It offers five use cases and several variants, along with a “collection of best current practices” for complex scenarios involving “vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time.”  The complex draft offers numerous diagrams and flow charts, but may oversimplify some challenges.  For example, it identifies three “causes” for a device being shipped before a vulnerability is discovered or fixed: it is “not well tested,” the product “is deployed too soon,” or it “is deployed with known vulnerabilities.”  It does not note that even good faith, robust testing can fail to detect all issues.  This document is open to public comment through January 31, 2017. 

IoT innovators and others in the technology space should keep these efforts in mind, because they may be expected to adopt a program to address vulnerabilities and their disclosure.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek