Why are some vulnerabilities disclosed responsibly while others are not?

EU’s cybersecurity agency ENISA has delved into the problematics of vulnerability disclosure and has released a report that addresses economic factors, incentives and motivations that influence the behaviour of the various vulnerability disclosure actors, as well as two case studies of recently disclosed high-profile vulnerabilities (Meltdown, Spectre, EternalBlue) that illustrate how the process occurs.

It examines the economic aspects of the infosec market and how they relate to vulnerability disclosure, as well as how classical economics concepts can be applied to the issue (tragedy of the commons, network effects, externalities, asymmetric information and adverse selection, liability dumping, moral hazard).

“Economics is a key driver of modern security and economic considerations often determine the decision of approaches to be taken when resolving issues. This report perfectly illustrates this fact and provides valuable insight into why different actors behave as they do in the vulnerability disclosure space,” noted Udo Helmbrecht, ENISA’s executive director.

Key insights

“Overall, the study has a produced a number of key findings. First and foremost, the study shows the importance that vulnerability disclosure, and predominantly CVD, plays in modern society. As witnessed in the case of EternalBlue, vulnerabilities in widely used software and hardware can cause immense societal harm across the globe and it is necessary to have processes in place to adequately identify, report, receive, triage and mitigate vulnerabilities,” the researchers found.

Other findings include:

• It’s important to approach vulnerability disclosure as an ecosystem. All actors involved in vulnerability disclosure should recognise the importance of setting up and running mutually beneficial structures that enables effective and efficient CVD to take place
• The actors should be provided with resources, good practice and voluntary standards
• Finders, coordinators and vendors must be able to constructively engage with each other in a timely fashion and in a shared language that both parties understand
• Ensuring safe harbour practices and legal safeguards for security researchers working to identify and report vulnerabilities is a must
• Most organisations should consider implementing a CVD process, and some may want to consider a bug bounty programme, but not at the cost of other information security interventions in the development and testing stage.
• While CVD and bug bounty programmes can identify certain types of vulnerabilities, they are unlikely to identify larger structural issues present in modern computing systems, so governments, academic instructions and private organizations should keep investing in long-term security research to identify and mitigate fundamental weaknesses such as design flaws or protocol vulnerabilities.

The report was compiled based on desk research, review of the available literature (academic research, technical reports, media articles, etc.) and interviews with experts from the vulnerability disclosure community (representatives from academia, bug bounty platforms, vulnerability disclosure programme operators, vendors, etc.).