At WatchGuard, we’re big supporters of the responsible disclosure process for reporting vulnerabilities to device and software manufacturers. We believe it’s beneficial for everyone involved. In fact, WatchGuard threat analyst Marc Laliberte recently demonstrated how effective responsible disclosure can be. While conducting research for an ongoing Internet of Things security project, he discovered a vulnerability in a popular IoT camera and quickly notified the manufacturer.
Marc wrote a column for Dark Reading explaining each step of the responsible disclosure process and how the IoT camera manufacturer ultimately patched the vulnerability. He also brings up some key considerations and grey areas researchers should consider once they’ve identified an exploit. Here’s a brief excerpt from the article:
I submitted (my vulnerability) report to Amcrest on November 4, 2016. Many large vendors have a process in place for reporting vulnerabilities, and if not, a researcher usually sends an email encrypted with the vendor’s public PGP key. In this case, I contacted Amcrest’s support team to inquire how they would like me to report the vulnerability. Ultimately, I submitted my vulnerability report through a support case.
Now the important question — what is the appropriate amount of time to allow a researcher to respond before publicly disclosing a vulnerability? A researcher should allow vendors a reasonable amount of time to investigate and patch a vulnerability, but there’s no industry standard for how long that is. I opt for 60 days, which is common.
For a closer look at each step of the responsible disclosure process, read Marc’s full article in Dark Reading.