Risk-Based Vulnerability Disclosure: Towards Optimal Policy
24 Pages Posted: 2 May 2015
Date Written: April 30, 2015
Computing has become increasingly ubiquitous and embedded (as demonstrated by industrial control systems, in-vehicle systems, in-home care systems, and within the energy and transportation infrastructures). As a result, the issue of responsible vulnerability disclosure has returned to the fore. These new computing contexts require revisiting the nature of vulnerabilities and redefining responsible disclosure. The first goal of this work is to critique current disclosure practices. Based upon these critiques, grounded in the history of vulnerabilities, and informed by a series of expert interviews, we propose a model of risk-based responsible disclosure.
Research on vulnerability disclosure policy was an early focus in economics of security, particularly until 2006. That earlier research, however, reasonably assumed models of computers that were applicable to desktops, laptops, and servers. That is, there is a centralized source of patches, patching is possible in a very short time frame, patching is low cost, and the issue of physical harm need not be addressed. Current disagreements arise in part from the increasing diversity of both vulnerabilities and their potential impact. There are some clear lines. For example, it is not acceptable to disclose a vulnerability by implementing it and causing harm to victims. There are also well-known reasons for disclosure, specifically for creating incentives for vendors to patch and diffusing information to potential victims for their use in risk mitigation.
The trade-offs between transparency and confidentiality are increasingly complex. Responsible disclosure must be equitable: informing the marketplace, incentivizing software manufacturers to patch flaws, protecting vulnerable populations, and simultaneously minimizing the opportunities for malicious actors. To understand and resolve these challenges, we begin with the current state of vulnerability research. Stepping back provides a high-level historical perspective from the first identifiable vulnerability in a mass-produced device (beyond the canonical physical bugs in the first highly custom computers) to the Superfish malware in 2015. We describe extant models of disclosure, identifying the strengths and weaknesses of each of these. After that, we summarize factors previously used as vulnerability (and thus disclosure) metrics. These historical analyses and technical critiques are augmented by a series of interviews with technology and policy experts.
For the vast majority of vulnerabilities, the questions of public disclosure are not “if” but rather when and at what level of detail. We conclude that there is now no single optimal disclosure regime. Given this, we advocate for a model of disclosure grounded in risk-based analysis. Such an analysis should be complete and deterministic for a given context. We propose the factors necessary for such a systematic analysis. We then use well-known cases to test the framework and provide illustrative but practical examples.
Suggested Citation: Suggested Citation