Building vulnerability disclosure terms

Posted on 2020-09-21 by Matt Strahan in Business Security

We have now released new vulnerability disclosure terms for Volkis. You can look at them here. They were based off the excellent templates pushed by Bugcrowd among others. I’d like to take a bit of time to talk about why vulnerability disclosure terms are important and why each and every company, no matter how large or small, should have them.

We’ve already talked about bug bounties vs penetration testing. My conclusion there was “why not both?” They both handle the detection of security vulnerabilities from different angles. In that post I argued that one of the biggest advantages of bug bounties is they give a safe way for reporting it to you.

Let’s say you have stumbled upon a security issue in some company. Sure it’s fun… but it’s also kind of awkward. You’ve got a few challenges here, so let’s look at them one by one.

Who are you gonna call?

This is a business threatening vulnerability you have and so you have better alert them straight away. But…how?

You’d think that you just need to…I don’t know…tell them and they’d go “oh that’s terrible” and jump straight on it. That’s so often not what happens.

You call up their customer services line.

“Hello this is OwnedCorp, how may I help you?”

“Hi I’d like to report a security vulnerability.”

“Sorry? We don’t work in security.”

“No it’s a security vulnerability for you.”

“Unfortunately you’ve called the customer service line.”

“Can I get the number for your security guy?”

“Unfortunately it’s against our policies to give out personal information on our customer service line. Thanks, bye!”

OK that went well. So you send an email, but of course the company doesn’t know what to do with that email. The odds of you getting the one person in the entire company that both knows enough to know that it’s bad plus cares enough to do the work to fix it are pretty minimal.

Even though it’s one small part of the vulnerability disclosure terms, just having a person to contact makes it a whole lot easier to report those vulnerabilities.

Will they care?

This brings us to the next part of the vulnerability disclosure terms. What are the expectations on us?

When you’re a security researcher you want to know you’re going to be listened to. Partially this might be because we’re lonely and potentially drunk when we find these security issues, but mostly it’s because it just sucks to talk to someone and not get any response.

As part of the vulnerability disclosure terms you should set out two things:

  • Will you care about the vulnerability? Some things you just won’t care about. Is it not a security vulnerability? Is this already public information? Are you not concerned if it’s not exploitable? List that.
  • What will you do when you get a vulnerability? Will you just take it and say “thanks?” Will you seek to work with the researcher? Put that out early.

The “not getting arrested challenge”

Over this year, the hacker known as “Alex” had a great challenge ahead of him. He had former Prime Minister Tony Abbott’s passport details. How was he going to both help fix the issues plus not land himself behind bars? He had to play the do not get arrested challenge!

Reporting vulnerabilities can not only be a bit of work but it can also be a personal risk to the security researcher. How can they be sure you won’t go “why are you trying to hack into us?” and then call the police? Sometimes lawsuits can be in question.

But you’re just trying to help! Are you altruistic enough to risk landing in prison?

This brings us to ground rules and safe harbour. The vulnerability disclosure terms should say where the line is and explicitly say what is and isn’t fair game. This will lower the risk for the tester, they will know it’s OK to report.

Can I tell my friends?

Despite having protecting the confidentiality of information as our jobs, security researchers are a gossipy bunch. We like talking about all the stuff we have and will be doing.

Sure you might not want your organisation in the news for having had a major security issue, but that might be too bad. They have the information and it’s usually within their rights to talk about it.

You can, however, begin the negotiation early. Instead of using unenforceable legal threats that will likely bring its own style of bad news your way, you can start the negotiation early and have a disclosure policy. This will make it clear what you’re happy or not happy with people talking about.

Show me the money

Maybe I don’t just “stumble upon” these vulnerabilities. Maybe I’ll go looking for them. That sounds like effort though, is it worth it?

Bug bounties are becoming more and more common nowadays as a way of incentivising the discovery of these security issues. It’s better that someone friendly finds them instead of someone who’s going to target your organisation!

The bug bounty doesn’t necessarily have to be money though. It could be in the form of swag or shout outs or scotch. It’s about getting something for your time.

For me I made a single joke on Sectalks about making cookies for P1. My baking skills aren’t all that good so there’s a choice of Anzac Biscuits or Choc Chip Cookies - that’s all I know how to make!

Suddenly it’s part of our official vulnerability disclosure terms.. I’ve been told that that having the MD make cookies is even more of a reward than money!

The bigger the payout (be it in money or cookies) though the more people will be looking and the more likely someone’s going to just accept the payout rather than using the vulnerability for evil. It’s all a balance!

Putting this all together

This can be all combined to get what you see in our own Vulnerability Disclosure Terms. Here’s what’s in those terms:

  • Official communications channel for reporting vulnerabilities including any PGP keys or additional security mechanisms to make sure they’re not being snooped on.
  • What are we going to do when we get those vulnerability reports.
  • What is in scope and out of scope.
  • What vulnerabilities we will explicitly not care about.
  • Disclosure policy.
  • Safe harbour and ground rules.
  • Bug bounty amounts (if you are putting them out).

And that’s it. Luckily a lot of this is done for you in the great templates.

If your company doesn’t have vulnerability disclosure terms, you’re letting yourselves down. It doesn’t take long to put together, it’s practically free to do, and helps ensure that any security reports are addressed straight away.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Ben White on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn