The Dangers of Publicly Identifying Security Vulnerabilities Too Quickly
The practice of exposing companies' security vulnerabilities quickly might seem helpful, but this can be detrimental, says Blackpoint Cyber.
![Security vulnerabilities/software update Security vulnerabilities/software update](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt3761216553656844/666b25207bb5b58727782a7a/Software_Update_Patch_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Summit Art Creations/Shutterstock
Security flaws and vulnerabilities are a constant threat, with notifications of such problems offering convenience to bad-faith actors to try and breach a client's system before patches can be put in place. And these vulnerabilities are on the rise.
"Last year, 28,000 vulnerabilities were released," Brown said. "This year, we're hitting 35,000, according to predictions. In the first quarter, we looked at what appeared to be 8,700 vulnerabilities."
Malicious hackers can exploit these vulnerabilities to execute their objective in 20 minutes or less, Brown estimated.
While software providers can often fix many of these vulnerabilities to counter the risk presented, the patching process might not be as expedient as the software maker desires.
"The trend in the security research community is this culture where releasing patch notes is more of a marketing clout chase," Brown said. "It's this proverbial chase to see who can develop the proof of concept first and who can show the exploit. But the problem is they also post it online within days after the vendors disclose, 'Yes, there's a vulnerability. This is how you patch it.' Realistically, people aren't patching those in time."
The long list of patches and revealed vulnerabilities could be available to threat actors who regularly follow a company's activity on websites like GitHub, Twitter and YouTube.
"You just made their job a lot easier by basically giving them the recipe book to cook your soufflé," Brown emphasized.
Brown says that software companies and vendors should be wise about how they're disclosing the vulnerabilities to their clients. Blackpoint Cyber's threat intel team is "focused on understanding the vulnerability and exploit and how it can be conducted and then saying, 'OK, this is how bad it actually is. Here's what we can do for remediation in a mitigation stamp.' This is what we need to educate on," Brown said. "But in no way are we going to develop tools or exploits and post them publicly because that doesn't benefit anyone."
The release of these tools can often provide bad-faith actors with the necessary code required to continue attacking the vulnerabilities and exploits in question.
Much of this sort of practice arises, in part, because of a lack of appropriate regulations or guidance around how to handle the release of vulnerability notifications. There are no federal or international laws restricting how this information is administered or the approach to recommending appropriate patches. These sorts of public information releases can lead to massive breaches, like those involving SolarWinds, which eventually led to a hearing before the Senate Intelligence Committee due to the effect it had on commercial and government frameworks.
"From a regulatory stance, it's putting more pressure and precedence on vendors to have SCLC processes, secure development, life cycle processes when they develop their products that we consume," Brown said. "It's also also making sure that they're creating a patch within a certain amount of time.
Culturally, I don't know what we can do from a regulation stance," Brown continued. "But within the security community, we need to start having the conversation where researchers understand that this isn't a marketing opportunity. This is actually a big deal. And ethically, it puts us in more harm than good when we notify the vendor. And then we're just kind of waiting for who's gonna drop the exploit, post it on Github and God forbid, make scripts that make it a lot easier to execute the exploits."
Brown encourages vendors and customers to post about exploits on a public platform more slowly and in a coordinated manner. This coordination gives the vendor time to patch any potential vulnerabilities before making their research public.
She also hopes the security community will consider the implications of such actions and act appropriately.
The security community needs to discuss this practice because "our entire job in the research community is to find exploits," Brown said. "It's interesting, we like it, but it also creates harm if we're not using it for good and we're simply doing it for the interest of others of marketing and cool things that blow up. That's not all right."
Blackpoint Cyber was actively involved at this week's Pax8 Beyond, where the cloud commerce platform unveiled a number of new products and developments. For example, it worked with Pax8 to help develop its new security program, which will offer new tools for improving its clients through educational resources.
During its closing ceremony, Pax8 gave Blackpoint Cyber its "Breakthrough Vendor" award.
Blackpoint Cyber was actively involved at this week's Pax8 Beyond, where the cloud commerce platform unveiled a number of new products and developments. For example, it worked with Pax8 to help develop its new security program, which will offer new tools for improving its clients through educational resources.
During its closing ceremony, Pax8 gave Blackpoint Cyber its "Breakthrough Vendor" award.
Protecting partners and vendors is the goal of any security company, but how much information is too much?
According to Blackpoint Cyber's VP of security, MacKenzie Brown, some researchers' propensity to release lists of known security vulnerabilities in near real-time might accidentally put the affected vendors and their customers at greater risk of attack. Brown, a former Microsoft executive, has been advocating for security researchers to adopt a coordinated approach in hopes of remediating the threat of outing a security hole before it can be patched.
Channel Futures had a chance to sit down with Brown during this week's Pax8 Beyond to discuss several of the issues around security vulnerabilities and the risks observed within the security community.
See the slideshow above for our conversation.
About the Author(s)
You May Also Like