Disclosing vulnerabilities improves security for everyone
According to a new study 90 percent of IT professionals believe disclosing vulnerabilities serves a broader purpose of improving how software is developed, used and fixed.
The survey from application security testing specialist Veracode finds more than a third of companies received an unsolicited vulnerability disclosure report in the past 12 months, representing an opportunity to work together with the reporting party to fix the vulnerability and then disclose it, improving overall security.
The study also shows security researchers are generally reasonable and motivated by a desire to improve security for the greater good rather than by financial gain. 57 percent of researchers expect to be told when a vulnerability is fixed, 47 percent expect regular updates on the correction, and 37 percent expect to validate the fix. Only 18 percent of respondents expect to be paid and just 16 percent expect recognition for their finding.
Three out of four companies report having an established method for receiving a report from a security researcher and 71 percent of developers feel that security researchers should be able to do unsolicited testing. This may seem counter intuitive since developers would be most impacted in having their workflow interrupted to make an emergency fix, yet the data shows developers view coordinated disclosure as part of their secure development process. They expect to have their work tested outside the organization, and are ready to respond to problems that are identified.
"The alignment that the study reveals is very positive," says Veracode's chief technology officer and co-founder Chris Wysopal. "The challenge, however, is that vulnerability disclosure policies are wildly inconsistent. If researchers are unsure how to proceed when they find a vulnerability it leaves organizations exposed to security threats giving criminals a chance to exploit these vulnerabilities. Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organization's security strategy and allows researchers to work with an organization to reduce its exposure. A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped."
But while organizations are committed to finding and fixing flaws, the survey results show that security researchers can sometimes have unrealistic expectations. 65 percent of security researchers expect a fix in less than 60 days.
The study shows that while 47 percent of organizations have implemented bug bounty programs only 19 percent of vulnerability reports actually come via these.
You can read more about the results on the Veracode blog.