Vulnerability disclosure actions is a process whose purpose, principles and importance were presented in our previous article The Underlying Basis for Responsible Disclosure of Vulnerability. This process is associated with researchers as well as vendors. However, there are several challenges involved on both sides.
What is CVE and NVD?
CVE is short for Common Vulnerabilities and Exposures. Mission of this program is to identify, define, and catalog publicly disclosed vulnerabilities. Each known vulnerability is assigned a CVE ID, which is its identifier in the CVE list. In addition, this list includes a short description of the vulnerability, and at least one public reference, for publicly known cybersecurity vulnerabilities.
Fully synchronized with the CVE list is NVD, which is the US government repository of standards. This database contains technical data, information about risks, fixes, and impacts. Additionally, it provides advanced searching features such as by OS, vendor name, product name, or version number.
Both are available free of charge to the public.
As we mentioned, responsible vulnerability disclosure is very important for both security researchers and vendors. In fact, this is an area that depends on their cooperation and communication. However, there are recommended steps that should be taken to facilitate the process.
How to Report Vulnerability?
Here are the following recommendations for researchers:
- Understand the law – Before you begin finding and reporting vulnerabilities, make sure you understand what is in your jurisdiction.
- Finding the appropriate contact details – For instance, some organizations have developed and published a vulnerability disclosure policy that makes it easy to find contact for reporting. In case that this document does not exist in the company, it is necessary to look for contacts on their official websites or social media platforms.
- Initial report – The main part of the reporting process is compiling a report. It should contain more details of the reported vulnerability. Ideally, it should be sent over an encrypted channel.
The vulnerability description should include:
- Time and method of detection.
- Information on whether the vulnerability has been published elsewhere.
- Version and type of device or software affected by the vulnerability.
- If it is possible, information about installed patches and updates.
- Sufficient details of the vulnerability – what type of vulnerability is it, how can it be exploited, what actions or attacks does it allow, what can cause its misuse – confidentiality, integrity, or availability.
- HTTP requests and responses, screenshots or any other evidence that may be helpful.
- Estimated impact of vulnerability.
How to Respond to Vulnerability Reports?
Here are some recommended actions for vendors:
- Communicating with Researchers – Communication is the key point of the vulnerability disclosure process.
- Using Bug Bounty Programs – These formal vulnerability disclosure programs set the boundaries for security researchers and help organizations in this regard. Some organizations provide various rewards for researchers.
- Resolve or retest vulnerability. It is a good idea to offer testing to the researcher who reported the vulnerability.
- Request a CVE ID for a vulnerability.
- Publishing details about resolved vulnerability in a security advisory.
Security advisory must contain:
- Summary of the vulnerability as well as the impact.
- List of vulnerable and patch versions.
- Possible mitigation recommendations that can be implemented.
Also, it is good to include timeline of the vulnerability disclosure process and vulnerability technical details.
In conclusion, we can state that setting policies, communicating, and following the recommended steps for both researchers and vendors is essential. Important to realize, using bug bounty programs can help a lot. One of the popular and used is, for example, the Zero Day Initiative (ZDI), which was created to support private reporting of zero-day vulnerabilities.