Tripwire Survey: Most RSAC Attendees Favor Shorter Vulnerability Disclosure Timelines

With continued debate around responsible disclosure and increased attention around security research techniques, Tripwire wanted to get a pulse on what the community considers responsible practices today. In surveying 147 attendees at the RSA Conference in San Francisco a couple weeks ago, we found out a number of interesting perspectives. Most respondents favored shorter timelines in disclosing vulnerabilities publicly. When asked what's a reasonable amount of time for allowing a vendor to fix a vulnerability before full public disclosure, 32 percent selected the shortest option of 60 days, followed by 25 percent who said public disclosure does not need to wait on a vendor fix. Opinions were split on whether people should be allowed to test security constraints of a company’s products/services without upfront approval from that company, with 50 percent believing they should not be allowed and 49 percent saying they should be allowed. This has been a point of debate recently around new cybersecurity legislation in Georgia, which would affect responsible security researchers' abilities to do things in the public interest. As Tripwire security researcher Craig Young has said in response to the proposed legislation:

Security researchers are the first defenders against data breaches. Ethical hackers find vulnerabilities in systems and expose them to product vendors so they can be patched before they are exploited maliciously. Finding and exposing these vulnerabilities is not a criminal act, it is done with the intent of making the products safer for consumer use.

Eighty-four percent of the survey participants did feel that more legislation is needed to protect people/organizations from malicious hackers, though many felt lawmakers need guidance – for 35 percent, it was "Yes, but in partnership with infosec experts." The survey also explored participants' own organizations' experiences in receiving vulnerability reports. Thirty-sixpercent said that their organization has received an unsolicited vulnerability report in the past, while about half (53 percent) said their organizations have an official channel where external security researchers can easily submit vulnerabilities found in their products or services. A quarter (24 percent) said their organization has been the target of an extortion scheme related to the release of vulnerability details. Tyler Reguly, manager of the Vulnerability and Exposure Research Team (VERT) at Tripwire, had this to say:

While it's a good idea for all organizations to be open to receiving research, 53 percent having an official channel is better than some stats we've seen in the past. Last year a report came out saying 94 percent of companies on the Forbes Global 2000 have no discernible way to receive reports about vulnerabilities in their networks. Vulnerability reports are submitted to help the company better protect themselves and their surfaces. The point of responsible disclosure is to build a safer internet. Those who have submitted vulnerabilities as part of an extortion theme are not representative of the responsible researchers.

The survey results show that responsible security research remains a complicated issue. Some remain concerned about researchers looking into their product and services without their prior knowledge, but there's an important distinction between those who do this work for the betterment of society and those who do it for their own personal gain or other malicious intent. For more on Tripwire's position on security research, read our open letter on the Georgia legislation here: https://www.tripwire.com/state-of-security/government/why-we-believe-georgias-s-b-315-bill-will-increase-cybersecurity-risk/.