The other side of the story: do we still live in vulnerability disclosure dark ages
Recently, wired magazine published an article on bug bounties and vulnerability disclosure. This article remains on my mind and I think it is worth reflecting on my perspective on the topic, from the perspective of someone who manages the topic on behalf of a company in the industry.
Undeniably, the article holds some truth. It is true that many companies still treat security as an afterthought. It is true that some companies is very difficult, if at all, to report a security vulnerability without public disclosure. However, let’s not discount the growing number of companies who practice responsible disclosure and are active in working with security researchers.
The reality is security does not sell. Customers will pay for technology innovations, trendy UI, good UX, but expect security as a given. Therefore, it is not difficult to hear my peers discuss how security is lacking investment in a company, and often receives the worst blame when things went south.
Most recently, we have reviewed our vulnerability disclosure practice. Our goal is to look for ways to accelerate patch delivery to our customers. It is a very delicate topic to define what is an appropriate goal/KPI to follow. One benchmark can be to adopt Google Project Zero 90-days default for a fix; nevertheless even Google recognizes such practice may do more harm than help to security. Its recently revised policy would be more appropriate to match the reality, and in my opinion is a step forward towards the right direction.
It may be unfortunate, but I believe many vendors are feeling the squeeze. I am sure many practitioners working in security vulnerabilities and responsible disclosure would feel as if we are working at a drive-through with aggressive KPI. Stress and panic will persist, which may lead to subpar fix. For instance, Microsoft was forced to rollback security fixes last month. As an outsider, it seems the fix does not have enough time to go through validation properly leading to a partial zero-day – i.e. the vulnerability is now known to public without a proper patch.
It is never easy to balance between speed and completeness when fixing a security vulnerability. At the very least, our industry does not have a defined and agreeable standard. Wired magazine may think we have not made much improvements since 2003 in vulnerability disclosure, yet reality is complex and finding the silver bullet to vulnerability disclosure has not been an easy quest for anyone.