Vulnerability research and responsible disclosure: Advice from an industry veteran
“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab.
Any member of the team can propose research topics but he, as Head, has the last word on which will be undertaken.
At the beginning of every year, he puts forth a few topics that are currently relevant or may become relevant in the near future. But, also, things happen when they happen – they often stumble upon things during research and customer related consulting work, and they decide to deepen the research.
After defining a budget and a timeframe for each proposal, they compare it with the others and pick those they want to research within the next couple of weeks.
The future of vulnerability research
Greil started his internship at SEC Consult – a well-known security consultancy with offices across the world – in 2005, and worked his way up to the position of Team Lead and Head of the Vulnerability Lab.
One of the things he learned in his many years in the security field is that the more organizations spend on security from the very beginning, long before writing a single line of code, the more money they’ll save in the end.
“Unfortunately, you can wave your security budget bye-bye if marketing says a new product needs to launch yesterday, even if that might introduce a ‘slight’ security risk. In the end, business and convenience always trump security concerns,” he notes.
That’s one of the reasons why he thinks vulnerability research will remain an exciting field of work and skilled consultants/researchers won’t have to worry about finding a decent job.
“I guess we will see a lot more sophisticated automated attacks as well as the need for automated analysis tools. The number of IoT-related projects is growing fast and researchers need a way to work through those potentially vulnerable products efficiently. SEC Consult is doing its part: to improve the turnaround time of security advisories and keep good researchers focused on the deeper analysis work, we already launched a platform for automated firmware analysis, which is now also available for external testing,” he shares.
“In our integrated hardware lab, we actually developed custom hardware analysis boards to help the research process. These boards make it much easier for our consultants to get low-level information out of any device (e.g., to dump flash chip contents) in a short time, as sometimes one doesn’t have the time to do a deep hardware analysis.
He also foresees that, as everything is becoming more automated, human error will have a bigger impact in security research and the origin of vulnerabilities.
Advice for aspiring vulnerability researchers
His advice to security professionals who would like to specialize in vulnerability research is not to do it for fame or quick money. He’s not a proponent of bug bounties, but says they can be used by researchers as an inspiration or as a test to see whether they are up to the challenge.
“Don’t forget: You might invest a considerable amount of time into a bug bounty but then someone beats you to it or you just don’t find anything. There is no guaranteed reward at the end,” he notes.
“Security bounties aim for quick fixes, but not solving underlying issues, and vendors use it to avoid integrating security at a technological level. If you’re serious, an established security company might be the better choice for the long run. Being a security consultant also means to show how to fix it, and that requires a lot of expertise and training on the job.”
When people apply to join the SEC Consult research teams, they usually test their reversing skills and knowledge in computer architecture and software programming, as well as how they work under pressure and whether they think outside the box. Communication skills are also important, not only to get along and work well with the team, but with vendors and other involved parties. “You are the professional, you know how it’s done, but you can’t blame or shame anyone,” he adds.
For those that are interested in dissecting different devices on hardware level, hardware and electronics skills are vitally important.
Finally, Greil thinks that determination and having fun doing the research are among the essential traits of a successful vulnerability researcher. “If you pair all that with curiosity, a problem-solving mindset and neat communication skills, you will bloom in the infosec world.”
Practicing responsible disclosure
Organized vulnerability research of the kind they do at SEC Consult comes with its own set of trials and challenges.
“Ethical and responsible hacking is not as easy as it looks, things take time and the reward is often just a (silent) patch and a non-disclosure agreement. You saved the world, but you won’t get famous. Not right away, anyways,” he says. Keep at it, be patient, have faith. Your time will come.
The company follows a responsible disclosure process, with two ISO standards playing a fundamental role.
“First, ISO/IEC 29147:2014 sets guidelines for the disclosure of potential vulnerabilities in products and online services. It provides methods a vendor should use to address issues related to vulnerability disclosure. Second, ISO/IEC 30111:2013 provides guidelines for how to process and resolve vulnerability information in a product or online service. Our internal responsible disclosure process then aims to provide vendors with the necessary information and timeframe needed to validate and fix a security flaw before a public advisory gets released,” he explains.
“Our biggest challenge is the coordination with the vendors as we often encounter vendors that are not aware of the impact or simply not cooperative and delay the disclosure process. Sometimes we don’t get any answers at all or they go silent at a later stage. There are also vendors that don’t have security contacts on their website in the first place, so we need to go over different public channels which is time consuming and inefficient.”
They are constantly challenged to keep a balance between making the digital world and products more secure and protecting affected customers.
“We usually give the vendor enough time to fix the issues and we only release when a patch is ready in the normal disclosure process. It also happens, every now and then, that a vendor stops answering and we feel obliged to release an advisory, but usually without a particular proof of concept to protect the users. We keep in mind that hackers read advisories more often than the users we intend to warn,” he concludes.