locale
English

Positive Technologies: vulnerability disclosure and researchers/vendors interaction in 2022–2023

In today's ever-evolving digital environment, we see promising advanced technologies, software, and hardware being developed and implemented at a very rapid pace. However, their successful implementation and use can be compromised if attackers discover vulnerabilities in them. The expanding threat landscape, the growing number of vulnerabilities, and the rising cost of attack consequences are the major challenges for software and hardware vendors seeking to protect their products from emerging threats. In this study, we will share our insights and statistics gleaned by Positive Technologies security researchers while interacting with vendors. We will also give some advice to vendors on how to organize a transparent and predictable process of vulnerability disclosure.
16 FEBRUARY 2024

Contents

Introduction

Today's constantly evolving digital landscape is notable for a fast pace of software and hardware product development, and appearance of many new and next-generation technologies. All of this is being adopted in many spheres of our life with the aim to improve interoperability between systems and devices, performance targets, and the quality of life.

However, successful adoption of new products and technology may be disrupted if these are found to contain vulnerabilities that allow malicious actors to do whatever they please: for example, to impair their operation or steal confidential data. One of the latest examples of this is the mass exploitation of a vulnerability in the MOVEit File Transfer secure file sharing solution. That resulted in malicious actors getting access to confidential data and demanding ransom for not publishing it. A total of more than 2,500 companies and 94 million users around the world were affected. The number of vulnerabilities keeps growing: according to the U.S. National Institute of Standards and Technology (NIST) the number of vulnerabilities discovered in 2023 (28,902) exceeded 2021's (20,155) and 2022's (25,081) figures by 42% and 14%, respectively. According to the FSTEC threat database, the year 2023 saw 42% more vulnerabilities discovered than 2021.

Figure 1. Number of vulnerabilities discovered in 2021–2023 as per NIST
Figure 2. Number of vulnerabilities discovered in 2021–2023 as per FSTEC Data Security Threats Database (DSTD)

Delays in remediation of vulnerabilities and public disclosure of vulnerability details prior to patch release by vendors increasingly allow malicious vendors to use exploits in attacks: according to our data, the percentage of successful attacks that were seen to exploit vulnerabilities in software and web applications increased by 10 points year-on-year in Q3 2023. The average loss from a data leak according to IBM, had grown by 15% in three years to reach $4.45 million in 2023, with each breach and leak costing businesses more and more.

An expanding threat landscape, a growing number of vulnerabilities, and increasing losses from attacks on systems are the main challenges to software and hardware vendors who seek to protect their products against new threats. In this context, an environment that encourages collaboration between vendors and security researchers is not only a good practice but a strategic imperative as well, as trustful, transparent vendor-researcher relationships can play a key part in strengthening security.

About this study

In this study, we share our experience and statistics of working with vendors, where Positive Technologies experts played the part of security researchers, and offer vendors a series of recommendations that can help to set up a transparent and predictable process of vulnerability disclosure. The study is based on our own data that we obtained while liaising with 84 software and hardware vendors on responsible and coordinated vulnerability disclosure in 2022–2023.

A few words about vulnerabilities

Vulnerabilities discovered for the first time are referred to as zero-days, or 0-days. These are detected security flaws that the software vendor is not aware of and that have no fix at the time of discovery. A vulnerability ceases to be considered a zero-day from the moment it is discovered and addressed with a patch, as it is then publicly known and can be remediated.

It often takes profound knowledge and experience in cybersecurity, and software design and development to discover a zero-day. Cybersecurity researchers may do this by participating in bug bounty programs for a reward or by working directly with the vendor. When the software vendor learns about a zero-day, a timely patch becomes critical due to the risk of zero-day exploits appearingA zero-day exploit, or 0-day exploit, is a piece of code or a technique that exploits previously-undetected and unpatched software vulnerabilities to launch cyberattacks..

Researchers on the PT SWARM (PT Security Weakness Advanced Research and Modeling) team succeed in finding vulnerabilities in a variety of products ([1], [2]), and successfully work with vendors to remediate these: in 2022–2023, security analysis experts detected more than 250 vulnerabilities, 70% of these having a high or critical severity level, in software and hardware by 84 vendors.

Figure 3. Geographic distribution of vendors whose products Positive Technologies researchers found to contain vulnerabilities

Possible scenarios

Approaches to vulnerability disclosure can differ depending on the goal chosen by the researcher:

  • Non-disclosure: security researchers find vulnerabilities, keep these a secret and use to their own ends, or sell to outside organizations or on dark web forums.
  • Full disclosure: researchers find vulnerabilities and publish the details of these without warning the vendor first.
  • Responsible disclosure: researchers inform the vendor about the vulnerability, give them a reasonable period of time to fix the issue, and publish information about the vulnerability once that period expires. A researcher who has been following the principles of responsible disclosure may do a full disclosure if the vendor is making communication difficult or will not participate in the remediation process.
  • Coordinated disclosure: a modified form of responsible disclosure where the cooperation between the researcher and the vendor to detect and remediate vulnerabilities involves governments or international organizations and end-users. Governments and international organizations in this context act as a mediator between the researcher and the vendor.

The difference between responsible and coordinated disclosure is that the former focuses on vendor-researcher cooperation, whereas the latter includes coordination between all concerned parties.

Figure 4. Steps by Positive Technologies researchers when disclosing a vulnerability

Positive Technologies researchers adhere to the principles of coordinated disclosure when discovering vulnerabilities in vendor products. The process involves not just the researchers and the vendor, but also regulators and organizations that act as a mediator between vendors or assist with obtaining unique identifiers in vulnerability registries. If the vendor complicates communications or fails to participate in remediation, the researchers notify governments or international organizations and request their assistance in establishing contact with the vendor according to the coordinated approach.

Figure 5. Parties to the coordinated disclosure process

Roles of regulators, international and national organizations in vulnerability disclosure

Regulators and other organizations, national or international, tend to play important, and often key, roles in coordinated disclosure:

  • Act as a mediator between security researchers and vendors if the two have communication issues.
  • Assist with identifying, registering vulnerabilities, and assigning unique identifiers.
  • Help to coordinate the actions of all parties to the disclosure process.
  • Influence the decision to review vulnerability reports, and monitor remediation and patching of end-user systems.
Our experience. Case 1

Software made by a version-control vendor was found to contain vulnerabilities. Researchers then tried to contact the vendor but received no response. After a lengthy wait, they decided to reach out to the regional CERT CERT — computer emergency response team and notify it about the vulnerabilities in the vendor's products. The CERT contacted the vendor, compelled it to talk to the researchers in order to start a remediation process, and acted as a mediator.

Table 1. Organizations involved in a coordinated disclosure process

Organization type Purpose Examples
Governments (regulators) Nationwide coordination of information security efforts FSTEC, Russia; CNITSEC, China; CISA, U.S.; ENISA, EU
International and national organizations Identify, register vulnerabilities, and assign unique identifiers FSTEC DSTD, Russia; CNA, U.S.; MITRE, U.S.; CNVD and CNNVD, China
Information security incident response teams Promptly respond to incidents and support the parties during remediation NCIRCC, Russia; national and industry CERTs (JPCERT/СС, ICS-CERT, Energy CERT, and others)

Why responsible disclosure matters to everyone

Awareness of all potential risks when setting up a transparent disclosure process is essential for vendors who are working to make their products secure. We understand transparent disclosure to be a process in which the vendor works closely with the researcher who discovered a vulnerability and maintains contact with them until releasing a security patch.

Efficient and transparent disclosure helps to maintain customer trust. When vendors actively respond to vulnerability reports, submit clear information, and promptly release security patches, it boosts user trust in the vendor's products and helps to ensure compliance. Companies that are actively engaged in responsible disclosure create a favorable image of themselves, which can attract new customers and reinforce their competitive strength.

Responsible disclosure contributes significantly to prevention of supply chain attacks. The number of incidents caused by supply chainA cyberattack in which the adversary infiltrates a company by compromising software or hardware vendors. For example, cybercriminals may inject malicious code into product source code or distribute malicious updates to infect the target organization's infrastructure and trusted relationshipA cyberattack in which the adversary breaches the infrastructure of a third-party company whose employees have legitimate access to the main target's resources., doubled from the figure for all of 2022. Rapid response to vulnerabilities discovered in the vendor's products helps to avoid supply chain compromise, significantly reducing risks to businesses and even entire industries that have a dependency on complex supply chains and technology ecosystems.

A transparent responsible disclosure process: is it all that simple

What problems there are

During the time that they have researched software and hardware security and worked with hundreds of vendors, Positive Technologies researchers have encountered various cases in which vendors demonstrated their levels of maturity in terms of vulnerability disclosure and cooperation with security researchers.

The following are some of the challenges associated with setting up a responsible disclosure process:

  • Insufficient clarity and structure around communications between vendors and researchers
  • A lack of consistency in vendors' responses to researchers' notifications. Sporadic, delayed responses create a negative experience and may reduce trust in the process.

We believe that the ideal interval between vendor responses is one to seven days: 57% of vendors have been able to respond to Positive Technologies within that time frame. Observing these intervals can significantly reduce the time available for developing and deploying exploits in real attacks: Qualys analysts reported that 25% of high- and critical-severity vulnerabilities detected in 2023 were publicly disclosed and received exploits on the same day, and 75% of discovered vulnerabilities were successfully exploited within 19 days of being detected. Only 39% of vendors achieved the minimum delay of 24 hours between initial researcher contact and the researcher sending out a vulnerability report.

Figure 6. Time between vendor vulnerability notification and report sent

The proportion of vendors that were able to promptly respond and release a patch within the ideal interval of 1–14 days was 14%, which leaves some room for improvement. Almost half (49%) of vendors released their patches within three months, and 37% took more than a quarter to do so.

Figure 7. Time between report sent to vendor and security patch released
  • A lack of adopted standards and clear disclosure policies. The standards and policies are important for uniform communications and clear rules for every party.

According to our statistics on communications with vendors in 2022–2023, only 27% of them had both policies that were clearly defined and explicitly stated on their websites, and contacts. A notable 21% of vendors were running bug bounty programs where researchers could review their rules of disclosure. Programs like these help attract more researchers and raise the standard of product security.

Figure 8. Availability of vendor disclosure policies and contacts
  • Limited researcher incentives: insufficient recognition and incentives for researchers can adversely affect their motivation and desire to cooperate, eventually resulting in a less efficient process.

Recommendations for a transparent responsible disclosure process

PT SWARM researchers have worked under various conditions that range from complete absence of vendor contacts to a perfectly adjusted disclosure and remediation process where vendor officers were always on call. All of this is part of our positive and negative experience, and it helps us to generate recommendations for vendors and communities to help build a transparent process for responsible disclosure and communication with researchers—or make existing processes and mechanisms more efficient.

  • Act professionally and trust researchers

Information security professionals historically tend to be distrustful and sensitive to any criticisms directed at the security standard of systems that they safeguard: such is their job. However, all parties to the disclosure process are on the same side, and they exert a lot of effort to improve product security and rule out exploitation by malicious actors. A transparent disclosure process without trust has very little chance to survive.

Our experience. Case 2

An expert discovered a vulnerability in a product by a Russian software vendor, and informed the company about the issue and their willingness to cooperate in disclosure. Vendor employees responded with contentious criticism and called the legitimacy of the researcher's actions into question.

Remember that researchers seek to keep users safe and fix any discovered flaws, and not to satisfy their egos, self-gratify, or prove that your product is bad.

  • Keep it all in sight and within easy reach

Provide researchers with clear information as to what channels they can use to contact you, should they find a vulnerability in a product. A vulnerability disclosure policy will be a huge benefit. This is a specially prepared document in which the vendor defines the provisions listed below and recognizes the actions of the researcher as legitimate as long as they remain within the scope of the proposed policy:

  • What products, systems, and applications are included in the scope of security research
  • What is allowed and what is not
  • Requirements for a vulnerability report: what data the researcher must submit for the vendor to be able to identify, reproduce, and analyze the vulnerability
  • Contacts and report submission methods (web form, encrypted email, bug bounty program)
  • The vendor's obligations after receiving the researcher's report and next steps (feedback deadline and method, terms of communication throughout the remediation process)
  • Researcher incentives and recognition

The policy aims to:

  • Streamline and clearly define a responsible disclosure process.
  • Assist the vendor in achieving greater customer and community trust in its products and services.
  • Demonstrate that the vendor takes information security and user protection seriously.
Our experience. Case 3

In 2022, Positive Technologies researchers found a vulnerability in hardware by a major vendor and attempted to contact the company. This only took them hours, as the vendor's website featured an appropriate policy. The company replied within two days, exactly as prescribed by the policy.

Published policies make researchers' lives much easier by sparing them the need to spend time looking for dedicated communication channels or confirming report submission procedures.

  • Stay in touch with all parties to the process

In addition to availability of policies and report submission methods, a transparent disclosure process depends on cooperation between all parties to the process: the vendor, researchers, regulators, international organizations, and users. Make sure you submit prompt and exhaustive feedback to all participants of this cooperation, so that each party understands what is going on and has enough time to provide a clear and well-considered response or a plan of action.

Our experience. Case 4

A product by a web content management vendor was found to contain a vulnerability. PT SWARM informed the vendor but received no feedback. It took CERT interference to get the company to respond. The response said the vulnerability had been fixed but provided no further details.

Statistics that we have gathered reflect a positive vendor responsiveness trend: 64% of vendors responded, received researchers' reports, and agreed remediation deadlines. That said, 23% of vendors would take more than three months to respond or would not respond at all.

  • Act responsibly and fast

After the researcher has sent the vendor a report containing technical details and received confirmation that the information would be checked, the vendor starts analyzing the data. The software company devises a remediation plan as it assesses the threat posed by the vulnerability and its potential business impact. This is the time to agree on disclosure details with the researcher to avoid delays in remediation. A clear communication timeline and patch release deadline makes a palpable contribution to a transparent disclosure process.

Our experience. Case 5

A Russian vendor released a security patch within 24 hours of receiving a fairly urgent vulnerability notification from a researcher.

A prompt reply to the researchers' email and verification of the vulnerabilities are not sufficient for improved product security and user protection. Vendors have to take material steps by releasing security patches, and publicly reporting the problem and availability of a fix within the shortest time possible.

  • Incentivize researchers

Researchers who discover vulnerabilities in software products have three main motivations:

  • Community recognition for publishing a vulnerability report
  • Financial gain, such as a reward (bug bounty) from the vendor for assistance with remediating the vulnerability
  • Altruism: a desire to make the products safer for users by helping vendors to remediate vulnerabilities and prevent potential cyberattacks

Make payouts if stipulated; mention researchers in announcements and remediation recommendations; help with designing press releases; assist with obtaining vulnerability identifiers (MITRE, FSTEC DSTD), as this is an integral part of a researcher reward and an important item on their CV; invite researchers to meetups and conferences where they can talk about vulnerabilities they discovered; give the researchers hall-of-fame mentions. Adequate researcher incentives and recognition for discovery of vulnerabilities can motivate them to continue working with the vendors and attract new researchers through community word of mouth. All of the above paint a positive public image and demonstrate a serious attitude to product and user security.

Our experience. Case 6

Working with a large foreign vendor of network equipment was a very rewarding experience: always there when we called, a special vulnerability team, press releases done on time, CVE submissions, a hall-of-fame mention.

Conclusion

In a time of rapid accumulation of vulnerabilities, a haphazard approach to disclosure, where the vendor is unwilling to address issues after being informed by researchers, inevitably leads to failure. It is for this reason that the process of responsible disclosure is of utmost importance and something that vendors have to pay particular attention to. Malicious actors discovering a zero-day vulnerability may jeopardize critical IT infrastructure and important businesses, leading to vast damage to the integrity and confidentiality of organizations' information. Therefore, it is critical for vendors to remain flexible when building transparent disclosure processes.

They should stay open to researchers and government agencies or organizations that coordinate the remediation process. Cooperation provides efficient ways of finding solutions for ensuring each party's security. That being said, newly discovered vulnerabilities must be promptly remediated to reduce malicious actors' chances of exploiting these in attacks. Not only does responsible, transparent disclosure ensure security of specific vendor systems, products and applications, but it also builds researchers', regulators', customers', and partners' trust, and improves entire industries' standard of security.

Get in touch

Fill in the form and our specialists
will contact you shortly