Risk-Based Vulnerability Disclosure: Towards Optimal Policy
1 Pages Posted: 2 Apr 2015
Date Written: March 31, 2015
As computing has become increasingly ubiquitous and embedded (as demonstrated by industrial control systems, in-vehicle systems, in-home care systems, and within the energy and transportation infrastructures) the issue of responsible disclosure has returned to the fore. These new computing contexts require revisiting the nature of vulnerabilities, and thus responsible disclosure. The goal of this work is to critique the current disclosure practices, particularly in terms of pervasive computing. Based upon these critiques, grounded in the history of vulnerabilities, and informed by a series of expert interviews, we propose a model of risk-based responsible disclosure.
Research on vulnerability disclosure policy was an early focus in economics of security, particu- larly until 2006. However, that earlier research reasonably assumed models of computers that were applicable to desktops, laptops, and servers. That is, there is a centralized source of patches, that patching is possible in a very short time frame, that patching is low cost, and that the issue of physical harm need not be addressed. Currently there is limited agreement upon best practices for vulnerability disclosure. This arises in part from the increasing diversity of both vulnerabilities and their potential impact. There are some clear lines, for example, it is not acceptable to disclose a vulnerability by implementing it and causing harm to victims. There are also well-known rea- sons for disclosure, specifically creating incentives for vendors to patch and diffusing information to potential victims for their use in risk mitigation.
The trade-offs between transparency and confidentiality are increasingly complex. Responsible disclosure must be equitable: informing the marketplace, incentivizing software manufacturers to patch flaws, protecting vulnerable populations, and simultaneously minimizing the opportunities for malicious actors. To understand and resolve these challenges we begin with the current state of vulnerability research. Stepping back provides a high-level historical perspective from the first identifiable vulnerability in a mass-produced device (beyond the canonical physical bugs in the first highly custom computers) to the Superfish malware in 2015. We describe extant models of disclosure, identifying the strengths and weaknesses of each of these. After that, we summarize factors previously used as vulnerability (and thus disclosure) metrics. These historical analyses and technical critiques are augmented by a series of interviews with technology and policy experts.
We conclude that there is now no single welfare-maximizing disclosure regime. Given this, we advocate for a model of optimal disclosure grounded in risk-based analysis. Such an analysis should be complete and deterministic for a given context. We propose the factors necessary for such a systematic analysis. We then use well-known cases to test the framework and provide illustrative but practical examples.
Keywords: vulnerability, disclosure, risk, policy
Suggested Citation: Suggested Citation