Engaging with Hackers in Coordinated Vulernability Disclosure

News item | 20-06-2016

Private and public organizations are increasingly working together with ethical hackers to improve their cybersecurity architecture. In the GFCE initiative on Responsible Disclosure governments, companies and representatives from the technical community exchange their experiences and identify best practices. Under what conditions can ethical hackers be successfully integrated into national cybersecurity practices? What are the do’s and don’ts in developing responsible disclosure capability?

Written by: Mr. Anne Blanksma Çeta, Senior Advisor at the Secretariat of the Global Forum on Cyber Expertise

Benefits and Risks

The concept of Responsible Disclosure or Coordinated Vulnerability Disclosure (further RD) originated among cyber activists in the eighties and nineties. The original idea was that companies and governments should be publicly shamed into improving data protection by having weaknesses in their cyber infrastructure exposed. Since then, the thinking has evolved.  100 percent security does not exist and it is generally accepted that organizations should have a chance to fix vulnerabilities before they are made public. RD policy sets the rules and guidelines which organizations and ethical hackers can use when investigating such vulnerabilities.

Jeroen van der Ham is Security Researcher at the Dutch National Cybersecurity Centre

Jeroen van der Ham is Security Researcher at the Dutch National Cybersecurity Centre, which was one of the first Computer Security Incident Response Teams (CSIRTs) to adopt a national guideline on RD in 2013. He emphasizes the overwhelming benefits of RD as an important extra tool to detect vulnerabilities before they can be exploited.  One of the perceived risks of having a RD policy, however, is the possibility of extra scrutiny among the hacker community. According to Jeroen, “In our experience this is only true for the initial phase when the RD announcement is shared among the community of ethical hackers. We, therefore, advise to first invest in pen tests and the overall maturity of your infrastructure and response mechanism before employing RD.”

Victor Gevers, known as an ethical hacker under his pseudonym @0xDUDE

Rules of the Game

Hackers, white or black hats, can do serious damage. It is therefore crucial that governments and organizations set clear and transparent procedures on RD. Victor Gevers, known as an ethical hacker under his pseudonym @0xDUDE, explains: “Ethical hackers, not seldom teenagers, have to be made aware of how far they can go. There should be clear and basic rules, such as no use of ‘brute force’, social engineering, DDOS-attacks or malware”. On the other hand, organizations should also rethink what RD means for their internal processes. Jeroen cautions organizations against the lack of communication with ethical hackers: “A classic mistake is that organizations stop communicating after an RD. The ethical hacker might become frustrated with the response and might decide to go public. We therefore recommend establishing clear timelines for response to an RD. For software vulnerabilities, this is usually 2-3 months, and for hardware up to 6.”

Via the GFCE Initiative on Responsible Disclosure, the Dutch Government together with Hungary, Romania and Hewlett Packard exchange best practices and try to get more governments and organizations to adopt this practice. An important recommendation for governments is to find a balance between encouraging organizations to disclose and fix vulnerabilities, and punishing organizations for being aware of these vulnerabilities and failing to implement available corrective measures.

But Hacking is Illegal!

Yes, some forms of hacking can be harmful and illegal, while sometimes it takes place in a grey area of the law. Surprisingly, as an ethical hacker, @0xDUDE is no proponent of increasing legal protection for ethical hackers. : “You have to understand that it is in the DNA of hackers to always find ways around; also, legislation is too slow to keep up with technical developments,” explains @0xDUDE. “That is why I am more in favor of the publication of clear and transparent guidelines by governments and organizations. We should create a culture where ethical hackers can simply contact an organization in case of doubt about employing a certain hacking technique”.

Likewise, Jeroen is not in favor of a legislative route to RD. “In the Netherlands we involve the Public Prosecutor in setting up our guidelines. They also published a report by themselves which is currently used by Courts to develop jurisdiction on this matter. RD should be judged case-by-case, following guidelines and based on the intentions of the ethical hacker, proportionality of means and possible harm caused.”

Rewarding Hackers

Given the looming threat of legal action, what drives ethical hackers to cooperate in RD? According to @0xDUDE, it is not necessarily the money: “Some organizations have bounty programs to encourage RDs, but for most organizations this is not necessary to employ.” There are other ways to reward ethical hackers for constructive cooperation. Giving public credits, support in CV building or issuing an official certificate for rendered services. With a worldwide demand for IT professionals, it is also especially interesting to recruit a pool of young talents.  With irony in his voice, @0xDUDE warns for the cultural gap: “Hackers are not necessarily impressed by your suits and university degrees.”

Tips to consider when thinking fbout Responsible Disclosure

Have national guidelines on RD and prosecution of ethical hackersDon’t start RD Policy before ICT infrastructure and incident response is in order (including Pen-test)
Have transparent and clear rules on RD procedure including: Forbidden hacking techniquesResponse time (including sending of RD report confirmation of receipt and action taken)Don’t stop communicationing with ethical hacker after RD report
Give credit to ethical hackers, not necessarily with financial incentivesDon’t be too risk averse to rigid punishment of organizations for vulnerability disclosures and failure to act