Stakeholders involved in NTIA’s cybersecurity multistakeholder process to promote collaboration on vulnerability research disclosure today are releasing initial findings, recommendations, and resources that they hope will enhance cooperation and lead to a more secure digital ecosystem. The three stakeholder-drafted reports reflect the experience and wisdom of many of the key experts in the field, including active security researchers, experienced software companies, security companies, academics, and civil society advocates, as well as industries new to the issue.
Vulnerability disclosure has long been an open, important issue in cybersecurity. Companies need a strategy to deal with flawed software, systems, and configurations -- especially when the issues are first discovered by a third party. Without a strategy, for example, companies sometimes choose to threaten the third party with legal action rather than working together to fix the vulnerability. This need is heightened as more and more organizations become part of the digital economy.
A diverse set of stakeholders participated in this process for more than a year, attending four in-person meetings across the country, and participating in countless conference calls and drafting sessions. On behalf of NTIA, I want to thank them for their hard work and dedication to seeking consensus and increased collaboration on these important cybersecurity issues.
Participants were clear from the outset that there is no one-size-fits-all solution, and that the principles and guidance developed by stakeholders should reflect the diversity of needs and capabilities of the wide range of organizations and individuals involved. At the first meeting in California last year, participants identified several key areas of focus: (1) awareness and adoption of existing disclosure practices; (2) the intersection of security disclosure and safety critical industries; and (3) multi-party vulnerability disclosure. Participants also acknowledged existing work in the area, such as the best practices included as part of international standards developed through the International Organization for Standardization (ISO).
At the last meeting of NTIA’s vulnerability disclosure process in November 2016, the three working groups presented their work for comment and discussion and agreed to make public a portion of their work for consideration and use.
The working group focused on awareness and adoption surveyed security researchers and technology providers to better understand their respective practices and motivations, obtaining data from almost 700 different parties. The results are presented and discussed in Vulnerability Disclosure Attitudes and Actions: A Research Report. For example, the survey found that a majority of security researchers who notify technology firms of vulnerabilities value direct and open communication but still fear legal repercussions. The working group will build on these findings to continue promoting awareness and adoption of good disclosure practices.
The second working group focused on security disclosure in industries where the potential for harm directly impacts human safety. Participants felt that these industries, unlike traditional software vendors, may not be entirely familiar with the principles and practices around security disclosure and how to proceed when a vulnerability is discovered. To empower these sectors, this working group developed a Coordinated Vulnerability Disclosure “Early Stage” Template. This document reviews key issues for companies to consider when designing a vulnerability-disclosure policy, including how to scope a policy, and how such policies might evolve over time. While this guide was drafted with safety-critical industries in mind, and with their participation, it can also be used by any organization interested in taking the first steps toward a disclosure policy.
The third working group addressed more advanced challenges that the disclosure community has been facing: what happens when a disclosure affects multiple parties. These situations may require further coordination to avoid security risks, and stakeholders identified the need for more widely understood and accepted best practices. This was a joint effort between NTIA stakeholders and members of the Forum of Incident Response and Security Teams (FIRST), an international organization that helps expert teams better respond to security incidents. The resulting “Guidelines and Practices for Multi-party Vulnerability Coordination” describes different use cases and patterns of communication, from very simple cases to more complex ones involving supply chains or shared open source libraries, or instances where vulnerability information is publicly disclosed before some stakeholders are prepared.
The joint FIRST/NTIA working group is soliciting feedback on their draft document. In addition, at the last stakeholder meeting in Washington, D.C., participants strategized about how to further expand awareness and adoption of robust vulnerability disclosure practices.
These three documents will help many types of organizations better understand security disclosure, and develop their own strategies. NTIA will continue to work with stakeholders on outreach models and ways to educate key sectors and organizations, raise awareness of this important issue, and encourage adoption of practices that help improve security of the digital economy.