ETSI has released on 27 January a Guide to Coordinated Vulnerability Disclosure. The Technical Report ETSI TR 103 838 will help companies and organizations of all sizes to implement a vulnerability disclosure process and fix vulnerability issues before they’re publicly disclosed.
As of early 2022 only about 20% of ICT and IoT companies have a publicly identifiable dedicated means to notify a company of a potentially serious security issue with their products or services. Many companies provide a website “contact us” page or have a presence on social media through which a security issue could be reported. However, in most cases without a formal separate CVD process, many companies lack the internal process to handle such reports in a timely manner especially where third party elements are included in their products.
Alex Leadbeater ETSI TC Cyber Chair noted that “While some large companies offer excellent paid vulnerability identification CVD schemes, a significant majority of companies ICT and IoT still do not have any form of CVD scheme in place. This is especially true of smaller companies and for companies with products that are not subject to formal regulatory related cyber security or safety testing. Such schemes are equally important for both physical product manufacturers and service or App providers”.
As mandated in ETSI EN 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements, a CVD scheme is a key requirement in ensuring on-going strong cyber security after a product has been placed on the market. Ranked after not using default passwords, an inability to handle cyber security vulnerabilities in life has been a significant contributory factor in many recent IoT product security failures.
The ETSI Report contains advice on how to respond to and manage a vulnerability disclosure, a defined triage process, advice on managing vulnerabilities in third party products or suppliers. It also includes an example of a vulnerability disclosure policy. This is especially important for SMEs or larger companies who do not already have experience of CVD schemes or dealing with security vulnerabilities that are reported by security researchers.
Security plays a crucial role in the development and lifecycle of systems, products and services. At any time in the lifecycle, a vulnerability can be found that weakens the security if left unaddressed. If a vulnerability is found in development, this can be addressed before the product is released. Often, however, vulnerabilities are found after a system, product or service has been deployed. In this case, it can be difficult for the finder to know how or where to report the vulnerability.
To remedy this, an organization should have a vulnerability disclosure process. There are many reasons to do so:
- A vulnerability disclosure process helps an organization to respond most effectively to a security vulnerability.
- By providing a clear process, organizations can receive the information directly so the vulnerability can be addressed, and any associated risk reduced.
- Vulnerability reports can provide organizations with valuable information that can be used to improve the security of systems, products and services.
- The presence of a vulnerability disclosure process demonstrates that an organization takes security seriously.
- By accepting and receiving vulnerability reports, organizations will reduce the number of vulnerabilities in their systems, products or services.
- It allows organizations to engage constructively with finders. This engagement means the organization can receive valuable information that would otherwise be missed, or require additional time and effort to discover.
Having a clearly sign-posted disclosure process demonstrates that an organization takes security seriously. By contrast, if an organization does not provide a vulnerability disclosure route, finders who discover vulnerabilities may resort to public disclosure of the information, or vulnerabilities and subsequent exploits may go undetected until an otherwise avoidable serious widescale security event occurs. This public release can result in reputational damage and can lead to a compromise.
As demonstrated by the recent Log4j security bug, early identification and resolution of security vulnerabilities through a CVD scheme should be a key part of every company’s cyber security strategy.
The Technical Report can be downloaded here: