Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The Vulnerability Disclosure Debate

For many of us in the information security industry, the vulnerability disclosure debate is old and tired. I’ve been dealing with this myself going on twenty years now. The underlying debate hasn’t changed much, but there have been a few new wrinkles and nuances added over the years. At its core, the debate is about how someone who finds a security vulnerability and the vendor of the product in which it was found should behave.

One of the big differences with this age-old debate today is that there are now new players in the game

One of the big differences with this age-old debate today is that there are now new players in the game, players who were not around twenty, ten, or even five years ago; people who don't remember the days of full or no disclosure, the RFPolicy or the introduction of responsible disclosure that has morphed into coordinated disclosure. Companies such as auto manufacturers, airlines, energy companies and medical device manufacturers are just now starting to learn some of the painful lessons the rest of us learned the hard way. So we can either grit our teeth and flail about as these new entrants to the debate learn these old lessons, or we can attempt to gently guide them along the path that the rest of us have been trotting along for years and come to some sort of common level of understanding.

In fact, how to handle information security vulnerability information was one of the topics discussed at The White House Summit of Cyber Security and Consumer Protection back in February. This age old debate has become so important that even the President of the United States is discussing it.

Enter the National Telecommunications and Information Administration

The National Telecommunications and Information Administration (NTIA) under the Department of Commerce is attempting to advance the debate one more step. The NTIA has begun holding multi-stakeholder meetings in an attempt to come to some sort of consensus as to what should be the preferred course of action when a vulnerability is found. The first such meeting was recently held at the Berkeley School of Law in California. The NTIA has stressed that they are present only as a facilitator and have no desire to direct or influence the conversation at all and that it is up to the participants to decide what the output of the group will be.

Is the problem disclosure or bad code?

We need to work out the acceptable actions now, actions that we can all agree on, about what we will do with vulnerabilities when they get found.

The problem of what to do with security vulnerability information is not going to go away, in fact it is going to get worse—a lot worse. Actually, disclosure itself is not the problem. Disclosure is a symptom, a symptom of bad code. If you write code you are going to make mistakes. In fact, it is estimated that there are at least ten defects in every one thousand lines of code. The amount of code that companies are pushing into their products is growing at an ever increasing rate. Take cars for example: most modern vehicles rolling off the assembly line today contain over one million lines of software code. Based on industry averages, that means there is about ten thousand defects in every car. Not all of those defects are security problems, but some of them will be. As we continue to push software into vehicles, medical devices, refrigerators, light bulbs, etc. this problem will get worse and worse. We need to work out the acceptable actions now, actions that we can all agree on, about what we will do with vulnerabilities when they get found.

What should we do?

Of course, one option is to do nothing and maintain the status quo, meaning that researchers and vendors will continue to butt heads. Researchers will threaten full disclosure and vendors will run to their lawyers and the public will be caught in the middle. However, if we (the vendors and researchers) fail to take action and don’t come to some sort of agreement, we will likely find action being taken for us in the form of government regulation. We have a collective interest and a shared fate in the outcome of this issue; we should work on a solution together or we risk having a solution forced on us.

Let’s face it, there is a power inequity in the vulnerability equation. Vendors usually have money and lawyers, and it is easy for them to run to the courts to immediately stop threats to their bottom line. The researcher seldom has the resources available to match those of the vendor and is left at a disadvantage. And the public, who stands to gain the most from the information that the researcher has found, is diffuse and does not understand the complexities of the equation.

There has already been some criticism of the multi-stakeholder meetings held by the NTIA from people who rightly point out that the Department of Commerce has no way to enforce any outcome from these meetings. The have no enforcement arm, can not pass laws or levy fines. The process is also long and time consuming, with monthly meetings most likely being held over the next several years before any output can be released.

The NTIA contribution

What the NTIA can do—what they have already proven they can do—is get a disparate group of people in the same room to start the discussion and drive change.

What the NTIA can do—what they have already proven they can do—is get a disparate group of people in the same room to start the discussion and drive change. At the first meeting in Berkeley, the attendees proved to be varied and diverse, with viewpoints presented not only from security researchers but also large software vendors, vehicle manufacturers and medical device companies. That is the power that the NTIA can bring; by getting all of these people in the same room to discuss this important topic, maybe—just maybe—we can come to some sort of conclusion on this ancient debate.

Granted, the NTIA doesn’t have any enforcement authority, but that doesn’t mean we should just give up and walk away. It does not mean that we should shrug our shoulders and say that nothing will change. It does not mean that all the debate and discussion is just there so that people in the information security industry can listen to themselves talk. The more we sit down in the same room and discuss the problem, the more likely we will find a solution.

The status quo will not change without a revolution.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training