Observations on Responsible Vulnerability Disclosure in Practice

The facade of the Finnish parliament reflected on the window of the Finnish Parliament Annex. Image © Lari Huttunen.

Researchers: The First Obstacle is Often the Steepest

Usually as a researcher, the first and biggest obstacle for you to overcome is how to collaborate with the vendor and getting them to realize, reproduce, fix and publish the vulnerabilities you have discovered. This can take time and in some cases even lead to a situation where the vendor hides their head in the sand like an Ostrich and pretends the vulnerabilities do not exist.

Vendors: Vulnerability Disclosure Process 101

If you represent a vendor and you don’t have an established product security track, getting started doesn’t need to be complicated. The first step can be as easy as setting up a communication channel with the potential reporters through a file called security.txt as defined in RFC 9116. I think the most important motivation for this RFC is the following:

  • Guidelines: what is expected of a researcher either performing research or trying to report an issue they have discovered.
  • Scope: what is in the scope of acceptable vulnerability research, e.g. domains, products, services.
  • Test methods: what is out of scope, such as performing a DDoS attack or social engineering.
  1. Come up with a mitigation for the issue if possible.
  2. Fix the issue.
  3. Make the fix available to your users.
  4. Publish the issue.
  1. identify specific issues with your software
  2. the versions they affect
  3. what is the impact
  4. and most importantly, which version(s) contain the fixes.

Case Study: Integrity Checking — an Integral Part of Cyber Security

I’m an editor for an independent security blog called Public Exposure. In late June, I received a first draft of a write-up from Joona that was very intriguing. After a couple of rounds of light edits, I agreed with Joona and Tomi that we publish the blog post on Tuesday, 2022–07–12, which happened to be Patch Tuesday. (We usually publish on Patch Tuesday.)

--

--

Lari Huttunen is a polyglot linguist with an avid interest in defensive cyber security. Read more at: https://public-exposure.inform.social/author/lari-huttunen

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lari Huttunen

Lari Huttunen is a polyglot linguist with an avid interest in defensive cyber security. Read more at: https://public-exposure.inform.social/author/lari-huttunen