sb-eu logo
Story image

Companies and researchers coordinating on disclosure – 451 Research

30 Sep 2019

Application security testing (AST) provider Veracode has today released results of a global survey on software vulnerability disclosure, Exploring Coordinated Disclosure, that examines the attitudes, policies and expectations associated with how organisations and external security researchers work together when vulnerabilities are identified.

The study reveals that today, software companies and security researchers are near-universal in their belief that disclosing vulnerabilities to improve software security is good for everyone.

The report found 90% of respondents confirmed disclosing vulnerabilities “publicly serves a broader purpose of improving how software is developed, used and fixed.”

This represents an inflection point in the software industry – the recognition that unaddressed vulnerabilities create an enormous risk of negative consequences to business interests, consumers, and even global economic stability.

“The alignment that the study reveals is very positive,” says Veracode chief technology officer and co-founder Chris Wysopal.

“The challenge, however, is that vulnerability disclosure policies are wildly inconsistent. If researchers are unsure how to proceed when they find a vulnerability it leaves organisations exposed to security threats giving criminals a chance to exploit these vulnerabilities.

“Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organisation’s security strategy and allows researchers to work with an organisation to reduce its exposure,” he says.

“A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.”

Key findings of the research include:

  • Unsolicited vulnerability disclosures happen regularly. The report found more than one-third of companies received an unsolicited vulnerability disclosure report in the past 12 months, representing an opportunity to work together with the reporting party to fix the vulnerability and then disclose it, thus improving overall security. For those organisations that received an unsolicited vulnerability report, 90% of vulnerabilities were disclosed in a coordinated fashion between security researchers and the organisation. This is evidence of a significant shift in mindset that working collaboratively is the most effective approach toward transparency and improved security.
     
  • Security researchers are motivated by the greater good. The study shows security researchers are generally reasonable and motivated by a desire to improve security for the greater good. Fifty-seven percent of researchers expect to be told when a vulnerability is fixed, 47% expect regular updates on the correction, and 37% expect to validate the fix. Only 18% of respondents expect to be paid and just 16% expect recognition for their finding.
     
  • Organisations will collaborate to solve issues. Promisingly, three in four companies report having an established method for receiving a report from a security researcher and 71% of developers feel that security researchers should be able to do unsolicited testing. This may seem counterintuitive since developers would be most impacted in having their workflow interrupted to make an emergency fix, yet the data show developers view coordinated disclosure as part of their secure development process, expect to have their work tested outside the organisation, and are ready to respond to problems that are identified.
     
  • Security researchers’ expectations for remediation time aren’t always realistic. After reporting a vulnerability, the data shows 65% of security researchers expect a fix in less than 60 days. That timeline might be too aggressive and even unrealistic when weighed against the most recent Veracode report, which found more than 70% of all flaws remain one month after discovery and nearly 55% remain three months after discovery. The research shows that organisations are dedicated to fixing and responsibly disclosing flaws and they must be given reasonable time to do so.
     
  • Bug bounties aren’t a panacea. Bug bounty programs get the lion’s share of attention related to disclosure but the lure of a payday actually is not driving most disclosures, according to the research. Nearly half (47%) of organisations have implemented bug bounty programs but just 19% of vulnerability reports come via these programs. While they can be part of an overarching security strategy, bug bounties often prove inefficient and expensive. Given that the majority of security researchers are primarily motivated by seeing a vulnerability fixed rather than money, organisations should consider focusing their finite resources on secure software development that finds vulnerabilities within the software development lifecycle.

Methodology

To gather relevant data for this report, 451 Research conducted survey commissioned by Veracode from December 2018 to January 2019 using a representative sample of 1,000 respondents across a range of industries and organisation sizes in the US, Germany, France, Italy and the UK.

Survey respondents reported enterprise roles such as application development, infrastructure and information security, as well as security consultants, third-party vulnerability assessors or penetration testers, and independent security researchers.

Respondents were required to have an average to high level of familiarity with vulnerability disclosure models to participate.

Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More