[BreachExchange] Why are some vulnerabilities disclosed responsibly while others are not?

[Destry Winant]

https://www.helpnetsecurity.com/2018/12/20/vulnerability-disclosure-economics/

EU’s cybersecurity agency ENISA has delved into the problematics of
vulnerability disclosure and has released a report that addresses
economic factors, incentives and motivations that influence the
behaviour of the various vulnerability disclosure actors, as well as
two case studies of recently disclosed high-profile vulnerabilities
(Meltdown, Spectre, EternalBlue) that illustrate how the process
occurs.

It examines the economic aspects of the infosec market and how they
relate to vulnerability disclosure, as well as how classical economics
concepts can be applied to the issue (tragedy of the commons, network
effects, externalities, asymmetric information and adverse selection,
liability dumping, moral hazard).

“Economics is a key driver of modern security and economic
considerations often determine the decision of approaches to be taken
when resolving issues. This report perfectly illustrates this fact and
provides valuable insight into why different actors behave as they do
in the vulnerability disclosure space,” noted Udo Helmbrecht, ENISA’s
executive director.

Key insights

“Overall, the study has a produced a number of key findings. First and
foremost, the study shows the importance that vulnerability
disclosure, and predominantly CVD, plays in modern society. As
witnessed in the case of EternalBlue, vulnerabilities in widely used
software and hardware can cause immense societal harm across the globe
and it is necessary to have processes in place to adequately identify,
report, receive, triage and mitigate vulnerabilities,” the researchers
found.

Other findings include:

- It’s important to approach vulnerability disclosure as an ecosystem.
All actors involved in vulnerability disclosure should recognise the
importance of setting up and running mutually beneficial structures
that enables effective and efficient CVD to take place
- The actors should be provided with resources, good practice and
voluntary standards
- Finders, coordinators and vendors must be able to constructively
engage with each other in a timely fashion and in a shared language
that both parties understand
- Ensuring safe harbour practices and legal safeguards for security
researchers working to identify and report vulnerabilities is a must
- Most organisations should consider implementing a CVD process, and
some may want to consider a bug bounty programme, but not at the cost
of other information security interventions in the development and
testing stage.
- While CVD and bug bounty programmes can identify certain types of
vulnerabilities, they are unlikely to identify larger structural
issues present in modern computing systems, so governments, academic
instructions and private organizations should keep investing in
long-term security research to identify and mitigate fundamental
weaknesses such as design flaws or protocol vulnerabilities.

The report was compiled based on desk research, review of the
available literature (academic research, technical reports, media
articles, etc.) and interviews with experts from the vulnerability
disclosure community (representatives from academia, bug bounty
platforms, vulnerability disclosure programme operators, vendors,
etc.).