Over the past year, Qualys (where I’m employed as the CISO) discovered serious weaknesses in the Schneider Electric ETG3000 FactoryCast HMI Gateway, an administrative interface used to manage industrial controls systems, and within the Linux glibc library. In both cases, the vulnerabilities could allow a remote attacker to take control of the systems and cause significant harm. Once such vulnerabilities are discovered, should one disclose them? If so, how does one do that?
There are two types of disclosures used by alumnus of Regis' information assurance graduate program and the security research field at large: full disclosure and responsible disclosure. Full disclosure is the practice of publishing the details of the vulnerability as early as possible and making the information available to everyone without restriction, which typically includes publicly releasing information through online forums or websites. The primary argument for full disclosure is that ethically, the potential victim of attacks should be as knowledgeable as those who attack them.
Alternatively, responsible disclosure requires that the security researcher not disclose the vulnerability until a fix is available. The argument for responsible disclosure is that blackhats – cyber criminals – can typically exploit the vulnerability when publicly disclosed much quicker than those who are attacked can fix the issue. As such, it is important that a fix is ready and widely available once the vulnerability is made widely known. Responsible disclosure basically requires:
That the security researcher who found the vulnerability confidentially reports it to the impacted company.
That the security researcher and company work in good faith to establish an agreed upon period of time for the vulnerability to be patched.
Once the agreed upon time period expires and the vulnerability is patched or the patch is available for installation by the users of the software, the security researcher can publicly disclose the vulnerability.
Several companies, such as Google, Microsoft, and Facebook, have also instituted bug bounty programs. Bug bounty programs are similar to responsible disclosure, with the exception that the security researcher is compensated for reporting the vulnerability.
As a future security professional with your master's degree in information assurance, you may one day discover a vulnerability that could be leveraged by blackhats to wreak havoc across the Internet. When you do, how will you disclose the vulnerability?