Security bugs may have wildly disparate paths of extermination. Some are quietly patched with code updates, while others make the national news and trigger companies' incident response plans. Is your company aware of the data security vulnerabilities it should be addressing? Is your company prepared to respond to a researcher who notifies you of a serious bug, or perhaps notifies the media without any prior notice?
Bugs in all shapes and sizes. Data security vulnerabilities exist for any number of reasons. For example, companies cause their own, such as by misconfiguring implementations or poorly coding websites and mobile applications, leaving them open to common attacks. They also may be using flawed software provided by a vendor and have little control over the vulnerabilities or resolving them, other than waiting for a vendor patch. Or the underlying platforms, operating systems, and transmission methodology may have a vulnerability.
The bug hunt. Companies use various techniques for identifying and resolving vulnerabilities, including code reviews and third-party scans of networks, websites, and mobile applications. Companies can also monitor the many online resources documenting known vulnerabilities, such as the United States Computer Emergency Readiness Team website. Using supported software and promptly implementing security patches are key. Responsible use of open-source software is also strongly recommended. Recent events have shown that an unpatched vulnerability to an open-source application framework can lead to a breach. The infamous Heartbleed bug in the OpenSSL open source cryptographic software library left millions of websites at risk. Notably, for anything other than the most simple systems, assessing the criticality and implications of implementing security patches is not an easy task – among other things, a given patch may have unintended effects on related system components, or the patch may not really be necessary, given the protections provided by other layers of defense. And a company with complex systems could receive dozens, hundreds, or even thousands of patches every week.
Researchers may help, or not. Ethical hackers and researchers can be another valuable source of information about vulnerabilities, but ethical hacking is controversial with both regulators and companies. "White hat hackers," like criminals, try to identify significant data security vulnerabilities. Some of these researchers may provide notice of a discovered vulnerability to the affected company out of altruism or with the hope of receiving a reward. Others, on the other hand, seek notoriety, and they publish their findings to the media without notifying an affected company in advance. This can leave a company scrambling with a data security issue, and a media response, customer, and reputational issue.
True "white hat" researchers would not publish their findings until after they have notified the interested parties. For example, in October, researchers at a European university published a research report on KRACK. KRACK is a vulnerability the researchers discovered in the WPA2 Wi-Fi protocol that could permit attackers to collect and decrypt data traffic flowing through an otherwise secured Wi-Fi network. According to the researchers, they notified device manufacturers in July 2017 before the research report was made public in October, and some of the manufacturers already have made patches available to customers.
Bug bounty programs that pay ethical hackers and researchers for information about vulnerabilities may incentivize them to helpfully find vulnerabilities and report them to the company directly, instead of publishing them in the media or elsewhere. In addition, bug bounty programs may provide guidelines that ethical hackers can follow and refer to if the Department of Justice threatens them with substantial civil and criminal penalties under anti-hacking laws, like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. A recent article describes the real risk of prosecution that ethical hackers face under these laws. Many large Internet companies have bug bounty programs, and such programs seem to be growing in popularity.
Watch for bugs and have a plan. Given what may seem like the Wild West of big game bug hunting, what can a company do to handle the many potential sources of information and the potential bad press from an exposed vulnerability? Companies can actively monitor the many reputable sources of data security information. They can watch and communicate with their vendors for code updates and patches, and dedicate adequate resources to prioritizing and implementing patches appropriately. Unpatched software is a very common cause of security breaches. Companies should also consider whether to implement a bug bounty program, or at least provide a designated point of contact for information that could identify a bug, and track the email it receives to its designated and general email boxes. Researchers may try to communicate bug information using the email addresses listed in a company's website terms of use or privacy policy. If these emails go into an overflowing customer service queue, the appropriate company personnel may not see the researcher's communications until after the researcher's findings have been published and/or the vulnerability has been exploited. The Federal Trade Commission has repeatedly taken note of disregarded warnings of security flaws. In its Start with Security guidance, the FTC pointed to situations where companies either did not have processes for receiving and addressing vulnerability reports from third parties, or the system did not function properly to route reports to the appropriate personnel. If a company has already remediated a vulnerability when it is made public, the company will have a better story to tell if questioned by the media or regulators.
A company can also plan and develop procedures for responding to media reports about vulnerabilities as part of its data security incident response plan. It should consider how it will react to news reports that a researcher found a vulnerability involving its systems. A company can also plan how it will respond to quickly address vulnerabilities it learns through these channels from a data security perspective. Increased planning and awareness of potential data security issues can reduce the risk of being caught off guard by news reports of the company's data security vulnerabilities, or worse.
This article is presented for informational purposes only and is not intended to constitute legal advice.
