What Hackers Know About Vulnerability Disclosures

Let the “good” make noise, otherwise the “bad” definitely will! In line with this adage, it is important to do all that is within your means to secure your data and your systems.
app testing
And you have a choice here: whether or not to indulge in a detailed vulnerability disclosure to the public at large.
What is a Vulnerability Disclosure Policy?
A Vulnerability Disclosure Policy (VDP) is a document that reports flaws in security that will adversely affect the working of your computer hardware and software.
Security researchers are ordained to disclose vulnerabilities to the parties concerned, mentioning the areas in the system that are flawed.
At times, in-house developers and vendors who work with vulnerable systems announce such security imperfections once the change in code takes place.
Once this patch is made available, security experts will be in a position to make the vulnerability public.
However, such an announcement will defeat the actual purpose of data security measures.
So, you may ask as to what is the best form of disclosure.
Here comes the response.
If you wish to tread the path of responsible disclosure, you should not make a public announcement of the vulnerabilities since you are in principle making a noise of the adverse effects.
When such claims reach the ears of hackers, they will look out for ways and means to breach the security barriers erected by you.
So the solution is to act without breathing a word about vulnerabilities and silently fix them.
Anything that is against to this basic principle will actually work in favor of hackers to steal and exploit your systems and data.
The Argument in Favor of a Vulnerability Disclosure Policy
Given the situation when an outsider identifies a potential issue with your hardware, software or website, you should be the informed of the same.
But when your vulnerability is known to others but remains unknown to you, it poses a huge risk.
If you have a VDP in place, you can ensure that the outsider or finder of the vulnerability will ring the bell to alert you.
It is then that you can ensure the safety and security of your products.
The Ideological Difference
The above introduction is much against the collective opinion of security experts who feel that it is important to inform the public of vulnerabilities.
This information, according to them is the most promising means to fix a security issue.
However, in line with what has been explained above, you will begin to understand that vulnerability disclosures actually put the public in a risky spot.

When you operate through a Vulnerability Disclosure Policy, you will be actually empowering hackers to trespass your security barriers even without your knowledge.
The Elements of a VDP
A VDP consists of five important elements. They are:

  1. Promise: An undertaking or assurance given to customers and stakeholders that they will be notified in clear terms about any security vulnerability
  2. Scope: The span of control, encompassing all the products and properties that come under the purview of a VDP. Additionally, a VDP should also cover all the types of vulnerabilities
  3. “Safe Harbor”: Shield the reporters of a vulnerability from being unduly penalized
  4. Process: There is a process in place which allows process finders to disclose vulnerabilities
  5. Preferences: A continuing document that explicitly sets the expectations for priorities and preferences that will be given to vulnerability reports

With a well-chalked out VDP in place, you can handle all the incoming alerts that are either technical or legal.
You can then initiate a communication with finders and work around a process which will permit internal teams to validate and lessen the risk while also disclosing the security vulnerability.
Lastly, a VDP finds its place to summarize and report all the activities that were initiated to combat security breaches to decision-makers and stakeholders.
How do Hackers Exploit VDPs and Their After-Effects on Your Business
When a VDP falls in the hands of a hacker, you are heading in the direction of a risky proposition in the following ways.

  1. Hackers Monetize With Sales to Law Enforcement and Intelligence Agencies

Imagine a situation when a cyber-attack occurs on the same day a flaw is detected in your software. This paves the way for a zero-day exploit when your data is exploited even before it the flaw is fixed and disclosed to you.
Leaving no scope for detection, it is during such times that a hacker makes the most of the publicly known vulnerabilities which aren’t patched yet.
Hackers are the bad guys who will then resort to selling this flawed information to good guys like the law enforcement internet security software companies.
They will rake in profits by initiating a legal sale which can involve anti-social activities like cyber warfare or child pornography as part of cybercrime activities.

  1. Inaction Towards Known Vulnerabilities

Most of the intelligence agencies feel that the less number of people who are informed of the vulnerabilities the better it is.
Since fewer people have knowledge about vulnerabilities, it become difficult for them to acknowledge their presence as well.

In such cases only the hackers who are adept at vulnerability research and quality exploit development can make good with a known vulnerability.
If you look at the statistics, a whopping 99% of all breaches stem from the exploitation of known vulnerabilities for which a patch already exists.

  1. What If You Notify the Vendor and Resort to Silent Patching

A responsible VDP calls for a great deal of prudence. You should, with the support of your VDP inform the vendor about the flaw you identified and handhold him to fix it.
That means, you should abstain from publicizing your inferences regarding the vulnerabilities.
The vendor will use that information to create and release a silent patch. This way, you will be safeguarding your system from hackers who can gain strength from your VDP.
On the flipside, there were many instances of initiating legal action against all those who conduct security breach and come out in the open about vulnerabilities by vendors.
This fear of facing legal action has prompted security researchers to make public all the vulnerabilities with a guarantee that they will not be taken to task.
Such an act will only jeopardize the goodwill of your company and hence you can steer clear of all such public disclosures.

  1. Publish Vulnerabilities Upon the Release of a Patch

Certain researchers may adopt a process to publicly release the information that they have identified, only after a patch is available. However, you all are aware of the slow speed of patching which will make this sort of an arrangement undependable.
It is highly impossible for every system to be patched in an instance, soon after the patch is released.
Once patching is in progress, you may experience downtime along with the shutdown of certain critical systems and non-functioning of software applications.
When dealing with critical infrastructure, you just cannot afford to have any sort of interruption.
This is the primary cause for major companies to take long periods before patching vulnerabilities that have been published ages ago.

  1. Short-Term Gains of Hackers

A hacker with malice in his mind will go the entire nine yards to exploit a zero-day vulnerability.
Driven by an exclusive motive to rake in profits, hackers focus on high-volume security compromises that are conducted on a large scale.
They work with a high level of confidence that once they exploit a vulnerability they are sure that a patch will soon be released.
Hence, they focus on gaining through short-term moves with a confidence that their trespassing will not be detected.

  1. The Public Becomes the Target Audience

Announcing your VDP is the riskiest proposition in contrast to the most common belief that the public will prompt vendors to act fast and come up with a damage control mechanism.
According to the notion, the general public upon getting notified of the vulnerabilities will act faster than the hacker who is waiting to exploit their systems.
The public will thus be able to secure their systems. Notwithstanding the fact that you are disclosing your vulnerabilities in good faith, you are actually working against the well-being of your organization.
You may ask, how? When you disclose your VDP to the public, you are getting exposed to an increased risk of hackers trespassing your security barriers.
Hackers are so well accustomed to the way in which organizations function. They know with certainty that businesses do not fix a vulnerability the moment it is detected.
They need not wait for a zero-day exploit to rake in profits. All that they need is the vulnerability disclosure that is made public.
They will work around this document and exploit your systems. Hence the solution to this ongoing issue of data and system security is to have a strong patching procedure in place.