Its not as bad as you think

Experiencing a vulnerability disclosure

AppSec Jun 24, 2022

Many well-written articles on the internet outline the process of dealing with vulnerability disclosure; this isn't one of those articles.

All I will say about the process is "fail to prepare, prepare to fail".

Moving on, I want to talk about the stuff these procedure-driven articles never seem to address; the emotional rollercoaster you will be riding, what to expect, and how you can keep yourself sane.

The dreaded moment

It's Friday night. You are doing what all security professionals do; sitting on your couch with your feet up, trying to get first blood on HTB (helped with lots of beer and snacks).

Working hard or hardly working?

You hear an email hit your inbox. Annoyingly the pop-up interrupts your hacking session, but then you see the subject line and your blood runs cold.

"Subject: We have found a vulnerability in your software".

You open up the email and read the contents. Your stomach feels like it did when you first had a shot of tequila; "Crap, what am I going to do"?

OK, this is all a bit overdramatic.

The unfortunate reality is that for those who have never experienced this scenario, it's a huge worry and can be very stressful.

My advice is don't worry, this happens a lot, and although you don't see it now, it can be a positive experience.

Let's walk through the experience.

The clock is ticking, but don't panic!

One thing you need to be aware of, once that email lands, the clock starts ticking but whatever you do, DON'T PANIC!

This photo was taken during the first lockdown (on 17. March 2020) in Munich, Germany due to the corona pandemic. I was seeing empty shelves in the supermarket, where once the toilet paper was piled up. The "German Angst" was symbolized by the hoarding of toilet paper. So when the toilet paper roll was finished I thought it would be uplifting/humorous to write "don't panic on the empty toilet roll". 

My title for it is "German Panic". 

This photo is my most successful photo in views and was featured in the Unsplash "COVID-19" compilation.
Dont panic!

The information in that email isn't going to be released immediately. Take some time to compose yourself and fully understand what is happening and what you need to do.

There are a few things that distinguish a security researcher from a hacker. One of those things is that they work responsibly and have a code of conduct in the form of a responsible disclosure program. Get a copy of this and understand timescales and expectations.

Armed with this information, you can start your investigation knowing what is required and when. Respond within the timescale but only do it when you're ready. Keep your response minimal, and make sure your internal process is underway.

Work together and create a partnership.

OK, they robbed you of first blood, but it doesn't mean they are bad people!

Bad people would have shared the information over the web without letting you know; these guys are trying to work with you. You are getting the opportunity to have the "best swing" at the problem so embrace it.

Neon Sign
Working together

It may be frustrating that your cherished security program has let something through, but don't let it get you down. You have a new opportunity to shine.

Everyone knows that shit happens, but when it does, it's how you deal with it that matters.

Often the disclosure contains some complex vulnerabilities, it's OK if you don't understand what's going on, but you're going to need to find out.

It's time to reach out, communicate and build a partnership.

Whilst you may feel a little overwhelmed, researchers understand that this could be new to you. Build a good relationship with the researcher; they don't want to see you crash and burn. Be nice, and they will happily guide you through the situation.

Ask lots of questions, be transparent and understand that, in many ways, you both want the same thing: to secure your product and protect your customers.

I love it when a plan comes together!

Fixing a vulnerability isn't always straightforward and usually takes time and effort. Don't stress out. No one is expecting you to fix things overnight.

When you talk to the researcher, work out a plan of action. Talk about how long the work will take and when the vulnerability will go public.

It's a two-way conversation.

Listen to their recommendations, voice concerns, and formulate the plan together.

Create a plan

It's worth noting that the responsible disclosure may dictate some timescales for the remedial work. If you don't think you can meet those timescales, then you need to tell them ASAP.

Once your plan is agreed it's time to execute it. When creating the fix, keep in touch. Give regular progress updates, and talk to them if something isn't going to plan.

The end is in sight.

If you have maintained the relationship and contact, the actual workload is not particularly stressful or challenging.

Don't get too comfortable. You're not at the end yet.

You think you have it all under wraps. Then three letters are mentioned CVE!

CVE registration was always going to happen.

The researcher will have mentioned a CVE when formulating your plan, but now it's becoming a reality. You should be involved in the process, and don't be afraid to call things out if you are not happy.

Use this insight to prepare your customer communication, and understand that your customers will be worried. You don't want this all falling on your shoulders, so brief teams and support them with handouts, FAQs and pre-prepared statements.

And, breathe

Once things are out in the open, things can go crazy if you haven't prepared. Putting effort into enabling the teams will ensure most of the initial "Big hit" will be directed away from you, leaving you free to deal with the more technical concerns.

A morning yoga session peering into the jungle in Ubud, Bali.
Be at peace

When the CVE is released, some of the pressure you may have felt will be relieved. Additionally, when you notice the praise the researcher has given, you should feel a sense of pride. It might look insignificant but wear it as a badge of honour as it proves you acted responsibly.

Well done, you made it! Was it as scary as you imagined?

Conclusion

No diagrams. No frameworks. No process. Just an insight into what to expect as a human being stepping into the unknown.

Whilst it may feel like the end of the world. Seize the opportunity and prove your dedication to the security of your product.

Remember, security researchers are not evil, and they are not out to get you. You are not on your own. There are no silly questions.

That's it for now. I hope this peek into reality will help your experience be a little less frightening.

Comments

Share your thoughts and ideas:

Tags

Scott Mitchell

Experienced AppSec leader and enabler. I have progressed from being "the security guy" to creating and leading a global security program. Sharing knowledge and learning from others is my passion.