Calls for Public Participation from Technology Providers, Operators, and Security Researchers
Issued by Rapid7 on behalf of Awareness and Adoption Group – A coalition of cybersecurity experts participating in a program to promote greater understanding and adoption of best practices for security vulnerability disclosure and handling today launched two surveys to investigate awareness of and perspectives on the issue. The coalition is made up of members of the “Awareness and Adoption Group” participating in a multistakeholder process on vulnerability disclosure and handling, which is being convened by the National Telecommunications and Information Administration (NTIA).
As software and technology systems become more advanced and complex, their potential to contain issues that negatively impact users increases. Such issues, known as vulnerabilities, may also create opportunities for malicious attackers. Vulnerabilities are often found and addressed during the development, and prior to the market release, of software and technology systems, but testing for everything is impossible. As a result, vulnerabilities may still be found in products and online services, either through intentional investigation or accidental discovery. In both situations, a clear path for security researchers or discoverers to disclose their findings to technology developers, manufacturers, and service providers helps to resolve issues without exposing users to undue risk. A clear path is often part of a “vulnerability handling” policy, process, or program.
While much work has previously been undertaken to develop best practices for vulnerability disclosure and handling – resulting in two International Standards Organization (ISO) standards, ISO/IEC 29147 and ISO/IEC 30111 – adoption of these practices is not yet widespread. The Awareness and Adoption Group wants to understand how broad adoption of vulnerability disclosure and handling policies and practices is, including in various industry sectors and among researchers and organizations in different working contexts. Where there are barriers to adoption, the Group seeks to identify what they may be and to develop responsive guidance.
The Group is investigating these issues by surveying the main stakeholder groups involved: technology providers and operators, who may receive reports about potential vulnerabilities; and security researchers, who may report potential vulnerabilities to technology providers and operators. Anonymized information will be gathered through two short (less than 10 questions each) surveys online. The resulting data will be aggregated and analysed for a report that will be issued to the public later in 2016. Based on the findings, the report will recommend actions to increase adoption of vulnerability disclosure and handling best practices.
“Ultimately our goal is to help make everyone safer; given the trust we place in technology in every area of our lives, it’s important to understand that vulnerabilities can have a negative impact on people’s safety and identity, as well as reaching a scale of national security or economic stability,” said Jen Ellis, Vice President of Community and Public Affairs at Rapid7, and co-chair of the Awareness and Adoption Group. “Addressing this requires open collaboration between researchers and technology providers and operators, and we believe that a strategic and thoughtful approach to vulnerability disclosure and handling is a very important element of this.”
“We hope that people will approach these surveys in a spirit of openness so we can understand real world perspectives and make appropriate recommendations,” said Amanda Craig, Senior Cybersecurity Strategist at Microsoft, and co-chair of the Awareness and Adoption Group. “There has traditionally been a perception of a somewhat adversarial relationship between researchers and technology providers and operators. We want to move past this, and the common assumptions it engenders, to understand current experience with, and perspectives on, vulnerability disclosure and handling. It’s only by understanding what’s really happening that we can make meaningful recommendations for increasing adoption of best practices.”
The surveys can be accessed as follows:
Technology providers and operators: https://www.surveymonkey.com/r/techprovider
Security researchers: https://www.surveymonkey.com/r/securityresearcher
The surveys, which were developed by stakeholders not NTIA, are live now and will be available online until April 30th 2016.
The Awareness and Adoption Group includes representatives from technology providers, the security research community, civil liberties groups, and others involved or interested in the vulnerability disclosure and handling lifecycle. Members include: The Center for Democracy and Technology, CERT Coordination Center, Dino Dai Zovi (security researcher), HackerOne, Katie Moussouris (co-editor of ISO 29147 & ISO 30111), Microsoft, Neal Krawetz (security researcher), New America’s Cybersecurity Initiative, Rapid7, and SAP.