Uncategorized

The Ethics of Responsible Disclosure: Reporting Vulnerabilities Ethically

0 reactions
0 comments 84 views
Author Avatar

seo

Joined: Jun 2023
Virtual Gifts

A vulnerability disclosure policy establishes the ground principles for how an ethical hacker is expected to find and report security issues. The framework for reporting security flaws and vulnerabilities is established by vulnerability disclosure policies. As a result, all parties can acknowledge receipt of communications and exchange data in a formal and consistent manner.

Organisations can increase the security of their networks, systems, and applications with the aid of ethical hackers. Ethical hackers are hired as part of contracts for traditional penetration testing that is outsourced, as well as the more recent and quickly expanding model for crowdsourcing security penetration testing. Many times, ethical hackers will find vulnerabilities out of the kindness of their hearts and without expecting to get paid for their work.

An information system, system security method, internal control, or implementation weakness that could be exploited or triggered by a threat source is known as a vulnerability. 

Ethical hackers must adopt the viewpoint of nefarious threat actors in order to succeed. In order to see an organisation’s defences from the standpoint of a possible attacker, ethical hackers put themselves in the position of threat actors. Cyberdefenses must be actively searched for weaknesses by ethical hackers in order to set up a successful cyber attack. The chance for the next genuine malevolent threat actor to exploit vulnerabilities is diminished or eliminated when ethical hackers are successful in doing so.

Important ground rules that have been established between the organisation and the ethical hacker must govern interactions with them. A vulnerability disclosure policy will set forth the most crucial interaction guidelines.

What constitutes a vulnerability disclosure policy’s essential elements?

Commitment.

Background information on the organisation, its commitment to security, and other topics are included in the introduction section. The purpose and objectives of the policy are described in this section. It is an expression of goodwill and encouragement, suggesting that disclosing vulnerabilities could be extremely valuable. The likelihood of a successful cyberattack can be decreased, and vulnerability reporting may even be able to avoid the costs and reputational harm that go along with it.

Safe Harbor.

This paragraph expressly states the organisation’s promise not to file a lawsuit over security research projects that make “a good faith” attempt to abide by the policy. It is expressly stated in the authorisation and safe harbour that good faith efforts will not give rise to legal action. The following is the wording that CISA suggests for the authorisation and safe harbour for government agency vulnerability disclosure policies:

“We will consider your security research to be authorised if you make a good faith attempt to abide by this policy while conducting it. AGENCY NAME won’t advise you to take any legal action based on your investigation, but we will work with you to rapidly identify and fix the problem. We shall disclose your consent if a third party brings legal action against you because of actions taken in accordance with this policy.

Important Recommendations.

Further defining the bounds of ethical hackers’ principles of conduct are guidelines. Guidelines may specifically state that notification should be sent as soon as a potential security issue is found. It is customary to advise against using exploits other than to verify a vulnerability. Numerous vulnerability disclosure standards stipulate that exploits found must not be utilised to compromise data further, establish persistence in other places, or switch platforms.

Scope.

The term “scope” gives a very clear understanding of the items to which the policy may apply, the properties and internet-connected systems that are covered by it, and the applicable vulnerability categories. Any unapproved testing procedures should also be included in the scope. For instance, it is customary for VDPs to forbid DoS or DDoS attacks as well as attacks with a more physical component, like attempting to enter the facility. Social engineering, perhaps through phishing, is frequently another prohibited practise. Because circumstances can change, it’s crucial to specify exactly what is and isn’t acceptable

Process.

The procedures ethical hackers employ to properly report vulnerabilities are part of the process. Instructions on where to send the reports are provided in this section. It also contains the data that the company needs to identify and assess the vulnerability. This could contain the vulnerability’s location, its potential effects, and any technical details needed to locate and replicate the vulnerability. Additionally, it ought to state when the report will be acknowledged as having been received.

Giving ethical hackers the option to report vulnerabilities anonymously is best practice. The vulnerability disclosure policy in this situation would exempt the input of identifiable information.

Definition of Trade-offs in Disclosure Policies

A vulnerability may only be disclosed in accordance with responsible disclosure once the vulnerability has been fixed. It can take a long time for manufacturers and developers to fix the issue. It can be argued that risk will be lower if information flow is restricted since fewer threat actors may be aware of the vulnerability. However, it only takes one determined threat actor to find the weakness on their own. In this case, responsible disclosure might offer skilled threat actors additional time to find the flaws and finish the breach. Policies for vulnerability disclosure typically outline the necessity of responsible disclosure. For the afflicted organisations, responsible disclosure is by far the preferred option.

On the opposite end of the spectrum is full disclosure. Full disclosure might become the last step if an ethical hacker has tried everything to notify an organisation of a vulnerability but has been unsuccessful.  The playing field is shifted in favour of the presumption that there is always a threat actor who is aware of any vulnerability when there is full disclosure. As a result, the recently identified vulnerability poses a serious danger and needs to be disclosed right once. In this case, the disclosure puts pressure on the involved parties to act quickly and adopt the appropriate safety measures. Overall, using full disclosure swaps exploitation risk and increased investment in the vulnerability for more research support and advanced planning by cyber defenders. Full disclosure decisions are typically taken by the ethical hacker, but the organisation that may be affected does not support them. 

Structured Standards

An outstanding guideline on how to disclose vulnerabilities in goods and services is provided by ISO. Vulnerability disclosure improves the prioritisation of cybersecurity investments by helping to prioritise risk, improve system and data defence, and prioritise risk. When several suppliers are impacted, coordinated vulnerability disclosure is very crucial.

Programmes and Policies for Vulnerability Disclosure Bring Strong Value

Companies and their applications can access a highly specialised network of security researchers through Bugcrowd. Critical software vulnerabilities can be found more quickly using The Crowd than with conventional techniques. Organisations of all sizes may run security programmes to effectively test their applications and fix vulnerabilities before they are exploited thanks to the Bugcrowd crowdsourced security platform.

Reviews

0 %

User Score

0 ratings
Rate This

Sharing

Prev

Social Engineering: Uncovering the Human Element of Hacking

Next

Want To Become An Ethical Hacker? Guide To Get Started!

2 Related Posts

Related Posts

Leave your comment

Your email address will not be published. Required fields are marked *