Why vulnerability disclosure shouldn’t be a marketing tool
There have been many arguments within the security community on how researchers should disclose the existence of a security vulnerability. Some argue that full disclosure is the best approach as it makes defenders aware of the security issue and they can take steps to reduce their exposure to it. Full disclosure advocates also say that this approach embarrasses large corporates and motivates them into taking action to address the security vulnerability.
Responsible disclosure advocates argue that their approach is better as it gives companies time to examine and fix the issue properly, and also encourages better relationships between researchers and developers. They also argue that full disclosure provides attackers with the information they need to exploit vulnerable systems, a point counter-argued by the full disclosure advocates, who say that attackers are probably aware of the vulnerability anyway, so it’s best to make defenders aware of it, too.
I am not going to discuss the merits of either side of the above debate. Instead, I want to talk about a vulnerability disclosure trend that I have recently noticed – a trend that I believe may ultimately cause more harm than good: security vendors using vulnerability disclosure as a marketing tool with the goal of enhancing their company’s bottom line.
It seems lately that no vulnerability can be announced without being provided with a catchy name and cool logo (e.g. Heartbleed and Shell Shock). Also, the technical material released about it often makes it seems that the Internet – or possibly even society as we know it – is destined to be destroyed forever.
So now we have three approaches to vulnerability disclosure: full disclosure, responsible disclosure, and marketing disclosure. My concern with the latter is that by its very nature it will get more coverage in both the IT industry and mainstream media. This can result in senior management becoming increasingly concerned over a vulnerability that may have no impact on their organization, but because it was on the evening news they now look to their security team to deal with it.
In the cases where the vulnerability does affect the organization, the security team is called into action to remediate it, but this remediation may be based more on the impact the vulnerability has had on the news headlines rather than on the impact it actually may have on the environment, This results in already overstretched security teams being distracted from other core tasks.
I have talked to a number of CSOs who are frustrated by this vendors’ approach as it means their valuable time is lost.
These highly publicized vulnerabilities can also have wider ranging impacts when lobbyists and politicians use them to support their arguments for introducing draconian measures to curb (what they believe are) “evil” security researchers. So when governments introduce laws to ban security research or make criminals out of researchers we should not be overly surprised.
The security industry and people in it need to realize that they are responsible for keeping technology secure for those who use it. This means taking a measured and often reserved approach to dealing with security issues and vulnerabilities. Vendors need to realize that the discovery of a new vulnerability is not the time to develop a new marketing campaign, but the time to engage in a mature way with others, in order to ensure that the vulnerability is dealt with in the most appropriate way. If we continue to act like the boy who cried wolf, we should not be surprised when the wolf is ignored and we are the ones governments set in their sights.