Upcoming IoT Security Legislation: Vulnerability Disclosure – Part 2

In part one of this two part series of blogs, Crypto Quantique discussed the PSTI Act, one of the requirements of which for IoT device manufacturers is to implement a means to receive reports of issues. The industry term for this is Vulnerability Disclosure.

Read part one of this blog here

What is Vulnerability Disclosure?

The European Union Agency for Cybersecurity (ENISA) defines vulnerability disclosure as “The process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited”. The idea is that security researchers find vulnerabilities in an organisation’s hardware or software and have a dedicated channel through which they can report their findings to that organisation. Coordinated vulnerability disclosure (CVD) is the industry recommended best-practice implementation of this, and is where the researcher works with the vendor or a coordinator intermediary to rectify the problem they have identified.

Why is CVD important?

To understand why vulnerability disclosure is important, it is first necessary to understand what a vulnerability is. A vulnerability is described by ETSI as a security bug or defect in a system, product or service; when an exploit takes place it is done so by taking advantage of one or more vulnerability. Vulnerability disclosure is a method by which organisations can, outside of regular security testing, become aware of vulnerabilities in its systems. In recent years vulnerability disclosure has received great attention from industry and now governments, with vulnerability disclosure being a requirement of both the UK’s PSTI Act and the EU Cyber Resilience Act (CRA).

What are the components of a vulnerability disclosure policy?

At its core, a vulnerability disclosure policy can be incredibly simple to implement. The UK’s National Cyber Security Centre (NCSC) has created a vulnerability disclosure toolkit which contains 3 components.

These are:

• Communication
  • This involves having a dedicated email that will ensure that vulnerability reports reach the correct person at an organisation. Some organisation’s choose to offer the option of securing reports with PGP encryption or by using a secure web form.
• Policy
  • A good policy should clearly communicate how an organisation wishes to receive reports and conduct its vulnerability disclosure process. ISO/IEC 29147:2018 outlines the minimum required elements of a policy. These are:
    • How an organisation wants to be contacted
    • Secure communication options
      • PGP key
      • Secure web form etc
    • What information to include in the report
    • What the finder should expect to happen
      • The PSTI Act requires that organisations provide information on expected timelines in its policy.
• Security.txt
  • https://securitytxt.org/
  • Security.txt is a proposed standardised location and method of communicating an organisation’s policy. It is a text file that sits at /.well-known/security.txt on a website.
  • It contains
    • Contact information
    • Policy information (or a link to a policy)
    • An expiration date
      • This is to show the policy is still maintained and is not stale

Where a policy is located is also important. Security.txt provides a standardised location for a vulnerability disclosure policy. Some companies use /security but anywhere that is easily accessible for a security researcher is a good start. See Crypto Quantique’s policy at www.cryptoquantique.com/.well-known/security.txt

Incentives

Often vulnerability disclosure relies on the goodwill of security researchers to submit reports to them. Others will use leaderboards and acknowledgement pages to thank researchers, and some will reward them with company swag. However, ENISA found in a paper that financial incentives were a prominent motivators for engagement in a CVD scheme. This is known as a bug bounty in the industry. Bug bounties are almost identical to a vulnerability disclosure policy, with a defined scope and communication method, but they include an established payout structure for levels of vulnerabilities reported.

Proxy Disclosure

While creating a policy is relatively simple, organisations must take a proactive approach to vulnerability disclosure. Receiving a report can be a daunting prospect, the NCSC toolkit linked above has steps to follow to properly receive a report from a security researcher. Additionally, there are third-party organisations who enable companies to host a policy through the proxy disclosure platform as well as coordinating interactions between researchers and organisations.

Vulnerability disclosure is a great tool to improve a company’s overall security, as well as indicating a positive security stature. Additionally, implementing a policy will have your company one step closer to compliance with legislation like the PSTI Act and the CRA. In upcoming blogs Crypto Quantique will continue to discuss IoT security legislation and what it means to be compliant.