Vulnerability disclosure: Legal risks and ethical considerations for researchers

In this Help Net Security interview, Eddie Zhang, Principal Consultant at Project Black, explores the complex and often controversial world of vulnerability disclosure in cybersecurity.

Zhang explores the intricate balancing act that researchers must perform when navigating the interests of various stakeholders, including the public, private companies, and government agencies. He discusses the ethical, legal, and practical implications of different disclosure strategies, ranging from full public disclosure to more discreet, coordinated approaches.

The conversation also touches on the broader ethical considerations in cybersecurity and the impact of emerging technologies on vulnerability disclosure practices and offers advice for cybersecurity professionals grappling with these critical decisions.

Decisions around vulnerability disclosures should always be made considering local laws and potential legal ramifications.

How can researchers balance the interests of different stakeholders, such as the public, companies, and government agencies, when deciding on a disclosure strategy?

Finding this balance when deciding on a disclosure strategy relates to the researcher’s view on ‘what is ethical’ and risk tolerance. The interests of the public (concerned about their security/data) often conflict with the interests of companies (protective of their IP and reputation) in these scenarios.

Some might argue that in the interest of the public, public disclosure is the most ethical approach as it ensures the issue is closed as quick as possible. Others may see public disclosure as self-serving and attention seeking behaviour that works only in the interest of the researcher themselves.

Secondly on the topic of risk tolerance, opting for public disclosure may expose yourself to more risk as an individual if the organisation or in some cases government agencies decide to pursue you legally.

Could you elaborate on the legal considerations and potential ramifications of different disclosure approaches?

Seek local legal advice about your specific scenario.

A company will aim to avoid negative publicity. Opting for full public disclosure can apply pressure to the affected organisation to fix the issue, however this pressure can also manifest itself into a legal pursuit against you.

Security Research Threats is a good collection of legal threats made against researchers to see how some of these scenarios have played out. Legal threats range from intellectual property violations, cease and desists to threats of jail time.

Working together with the organisation through a coordinated or private disclosure and acting in good faith can lower the risk to you as individual but does not guarantee zero risk.

What are the ethical implications of choosing full disclosure over responsible disclosure?

Responsible disclosure is generally considered more ethical. The primary goal of disclosing vulnerabilities should be to protect people rather than seeking personal recognition. Working with the impacted party can give them time to fix things properly.

Conversely full public disclosure can result in harming more people if malicious actors exploit the issue in the window between public disclosure and application of a patch.

The counterargument against this often relates to remediation time frames that are excessively prolonged in a coordinated disclosure scenario. If there are concerns that malicious actors are already exploiting the vulnerability, you can apply pressure by setting a deadline for public disclosure. However, there is the risk that the company may see this as extortion.

What advice would you give cybersecurity professionals navigating the decisions involved in vulnerability disclosure?

1. Understand your local laws relating to vulnerability research and disclosure.

2. With this knowledge, perform your own risk assessment before going down this journey. Consider in the worst case, you may be risking your professional reputation and employment. What is the likelihood of that eventuating? Are you willing to accept that risk or is there anything you can do to mitigate it (e.g. by disclosing anonymously)? For a lot of people, the potential risk isn’t worth the benefit of being a good samaritan and thus they avoid disclosing vulnerabilities altogether.

3. Arguably, most importantly, be respectful and act in good faith. Ideally you want to act within the letter and the spirit of the law, however the letter of the law is often vague or outdated when dealing with topics like ethical hacking. In the absence of strict legal protections for ‘trying to do the right thing’ with a vulnerability disclosure, acting in good faith tends to reduce the likelihood of legal pursuits.

How does the decision to publicly disclose a vulnerability align with broader cybersecurity ethics?

This can be a bit of a rabbit hole. Who decides what is ethical? What are cybersecurity ethics? I don’t think I am the authority for these questions but broadly here’s some discussion points that I will leave with the you the reader to think about:

The impact of public disclosure on individuals at the company

• Companies are made up of people. Mistakes like bugs or security issues are bound to happen so long as a human is involved. Public disclosures place a lot of pressure on the workers at the front lines who have to fix the problem. Beyond the stress of the situation, there’s also a risk that key people at these organisations might get targeted or harassed by the public. Is it ethical to put these individuals at risk for the greater good?
• Equally companies who handle data need to be handle it responsibly and ensure that there are sufficient people, processes, and technologies to prevent these mistakes. Does a public disclosure drive the change to fix any of these things?

Public interest

• A common argument for public disclosure relates to ‘people needing to know’ that their data is being mishandled.
• Is it the role of vulnerability researchers to fulfil this need? Shouldn’t regulatory bodies ensure companies within their jurisdiction are handling data correctly?
• Cybersecurity can be a bit of an echo chamber. Does the general population even care?

Privacy of impacted individuals

• Is it ethical to expose data (if the vulnerability relates to leaking it) through public disclosure to protect against the hypothetical situation that malicious actors are already exploiting it?
• Do you become the bad actor in this case if no one actively exploited the issue until you publicly disclosed it?

How might emerging technologies influence the practices of vulnerability disclosure?

Emerging technologies create new attack surfaces and new attacker techniques. I don’t believe emerging technologies will fundamentally change how we disclose vulnerabilities. However, I do think that it has never been more important for organisations to have strong programs for handling these disclosures.

Organisations should encourage the public to come forward to report vulnerabilities. The worst case scenario is a vulnerability, not disclosed due to fear of legal consequences, is later discovered and exploited by a malicious actor, resulting in a data breach.

Regulatory bodies/government agencies should also move to legislate protections for researchers acting in good faith.