NTIA Vulnerability Research Disclosure Process Takes Aim at Best Practices
Cybersecurity stakeholders moved forward via NTIA's multistakeholder process​ on vulnerability research disclosure, further revising the scope of working groups' examination of the issue. A working group on increasing adoption and awareness of vulnerability disclosure best practices generated the most debate during Wednesday's NTIA-facilitated meeting. Other multistakeholder working groups are examining possible incentives for safe vulnerability research disclosures, best practices for multi-party vulnerability disclosures and best practices for disclosures within safety industries. Most at an initial multistakeholder meeting in September identified increasing adoption of vulnerability disclosure best practices and examining incentives for adoption as the most pressing issues the NTIA process should focus on (see 1509290061).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Multiple stakeholders sought heightened discussion of efforts to increase adoption of vulnerability disclosure best practices, saying it ultimately affects all other working groups. The Adoption and Awareness Working Group is determining what the most common barriers are to industry adoption of vulnerability disclosure best practices, including barriers to making use of such best practices public, said co-Chairwoman Jen Ellis, Rapid7 communications director. “We have a lot of work to do." The working group plans to circulate a survey among industry stakeholders about the level of corporate adoption of disclosure best practices and possible barriers, Ellis said. The survey and a clearer picture of stakeholder interest in the adoption issue will help determine the scope of the working group's future work, she said.
Retail Cyber Intelligence Sharing Center Research Director Wendy Nather said the RC-ISAC hasn't made adopting vulnerability disclosure best practices a top priority because it's a relatively new organization. Adopting such best practices is on RC-ISAC's “to-do list” and would become a higher priority if someone disclosed a vulnerability on the organization's website, Nather said. Transparency of disclosure policies is often problematic for companies because they “don't know how to open themselves up for positive reporting from the security industry,” said HackerOne Chief Policy Officer Katie Moussouris. Researchers are also affected by a lack of transparency because it breeds uncertainty about how a company will respond to a vulnerability disclosure, she said.
The Economic Incentives Working Group is determining the scope of its future work, but has found significant negative incentives to adoption of disclosure best practices. The negative incentives include a need for vendors to use the most cost-effective security testing protocols available and to suppress disclosures in the short term in the hopes that vulnerabilities can be quietly patched, said working group co-Chairman Jason Shirk, Microsoft Bing privacy manager. Researchers often find the most profitable choice is to sell vulnerability information to outside parties, while consumers have no consistent way to evaluate the risks posed by different vulnerabilities, said working group co-Chairman Gianpaolo Russo, Indiana University Center for Applied Cybersecurity Research follow.
The working group is still “very early” in the process of determining the efficacy of known positive incentives, Shirk said. Positive incentives include a sustainable process for vendors to address vulnerabilities as a way of protecting their market reputation, while researchers would benefit from an open marketplace and assurances that vendors won't prosecute them for simple discovery, the working group said in its draft scoping document. Determining which positive incentives are most effect is “going to be extremely important” to improving adoption of vulnerability disclosure best practices, Nather said.