Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:06 AM
Gadi Evron
Gadi Evron
Connect Directly

Security PR: How To Disclose A Vulnerability

When your team discovers a new security vulnerability in a third-party product, there are ways to handle it correctly to achieve maximum visibility.

When your team discovers a new security vulnerability in a third-party product, there are ways to handle it correctly to achieve maximum visibility.This blog is part of a series of posts on security PR. The previous one was Security PR: How To Talk To Reporters.

The most important thing to remember about vulnerability disclosure -- regardless of if you believe this personally or not -- is that while disclosing a vulnerability can be a win for your organization, it will hurt others, plain and simple. The justification to release it is that it will hurt people more if you don't disclose it.

Indeed, if not for your efforts, this vulnerability would not have been fixed, and may have been exploited by evil attackers without anyone knowing or used in a mass-exploitation by a worm a year from now. But that does not change the fact that the vendor whose product you found a vulnerability will suffer in having to fix it and in the support costs and from a PR perspective having to respond to criticism.

Then millions of potential users may get compromised because of your disclosure, when criminals use the information to exploit the software now, rather than a year from now.

These are issues you should be ready to address in a statement if asked, and are also why you should insist that your researchers disclose the vulnerability responsibly, with the vendor (as long as the vendor also responds responsibly), rather than try to dissuade them from it so that the timetable can be shortened.

Make sure you have the goods Ask your researchers to examine their work, and to bring in an extra pair of eyes to make sure the vulnerability it real (i.e. exploitable), and that on the flip-side, it is not even more serious than they think (such as a remote exploit versus a denial of service).

Write three press releases One should be a simple email you can send to reporters you work with to interest them in the discovery. The second is an actual press release that you can reference everywhere, and the third a miniature technical paper on the issue.

Send the email with a reference the actual press release (a cover letter, if you like) to reporters you work with often.

The technical paper can be referenced in the press release, on your Web site, and on other forums where you publish it. It will be referenced by others who will inevitably write on the topic, as any new released vulnerability is interesting to people inside the industry much more than it is to reporters.

Contact reporters The first question to ask yourself is how urgent is this release. If the vulnerability was discovered by your team due to rigorous research and is not likely that someone else will publish it in the next few months, take your time to do things right.

See if you can locate a journalist who will be interested in the disclosure as a scoop. Preferably, a reporter from a large, popular publication. But there is nothing wrong with working with a smaller, successful tech publication. When one such publication writes on something newsworthy, the rest are likely to pick it up.

Once a large newspaper writes on the subject, others will pick it up and your work is almost done.

If the release is more urgent, work from the bottom up. Contact journalists at tech publications, provide them with the information, and let them do their jobs.

Industry and community releases More important than contacting the press is informing the community.

If you have the time, have your technical team submit a talk on the vulnerability to a large security conference such as Black Hat, Defcon and CCC. These conferences have teams of reporters just waiting for juicy new releases, and may even contact you before the conference as the rumor-mill generates noise.

If the vulnerability is not that significant or time is short, ask for the help of your technical team, and write a short, yet detailed, technical email to be sent to relevant mailing lists (such as Bugtraq and Full-Disclosure). While email formats for such disclosures can be found online, they vary considerably.

It is important that you include: 1. A layman's explanation of the vulnerability. 2. A layman's explanation of what the effects of the vulnerability are. 3. What products are affected. 4. Disclosure history (such as when you spoke with the vendor, and on what). 5. Technical details. 6. Exploit - you should not include the actual exploit code for the vulnerability, others will likely write about it soon, but for purely ethical reasons, it shouldn't be you. However, you should definitely include technical details of what it is. There is little more annoying to peers than a report which is devoid of details. 7. URL to full technical analysis on your website (see note about blogs). 8. URL to the press release.

If you can coordinate this release with the affected vendor, that would be great. But don't be afraid to release on your own. Inform the vendor ahead of time how long you are willing to wait before you release the vulnerability, but do try and be understanding and collaborative of their internal issues. The rule of thumb is to be understanding as long as they are being serious about it, rather than just stonewalling.

This industry release will get more relevant attention than any press release, and will be syndicated or referenced on multiple blogs, depending on how critical the vulnerability is.

Further, reporters who follow these mailing lists and groups will contact you so they can write about it.

Other groups to contact You should send your report to Websites such as Secunia and OSVDB, so that they can easily release the information as well, rather than gather it from the mailing lists. Consult your technical people for which resources you should contact.

Blogs and social media Referencing to your blog for further information is a great idea. You can then either release the technical paper on the blog itself, or link to it in PDF format from the blog.

This is about branding to the press. The relevant reporters will soon learn that they should follow your blog for interesting new releases, and they will contact you.

The same can be said of a Twitter account, but the blog is your first step.

Any one of these routes may work for you, and you should examine which one works best for the vulnerability you currently need to release. A combination of these methods is strongly recommended.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.