6 tips for receiving and responding to third-party security disclosures

Organizations—especially large companies—often don’t learn about an intrusion or breach of their systems until an external party like a security researcher, law enforcement agency or business partner alerts them to it. The expanding range of attack methods, the growing use of open-source components, and the adoption of cloud services have significantly expanded the attack surface at many organizations and made it harder for security teams to discover breaches on their own. SolarWinds for example, did not know that intruders had broken into its systems and distributed malware via its software until security vendor FireEye informed the company about a breach.

SolarWinds is one of many where a breach remained undetected for months because no one spotted it internally. So, processes for receiving and responding to inbound security intelligence—whether it’s a breach notification or information about a new significant threat—from external parties have become increasingly crucial in recent years.

“Anyone who creates products or services that have a cyber element to them should have an intake process so that external entities can report potential issues that could have an impact on their product or services,” says John Hellickson, CxO adviser, cyber strategy at Coalfire.

Here, according to him and others, are six tips for effectively implementing such a capability:

1. Have a well-defined policy for vulnerability disclosures 

Make sure to clearly communicate your organization’s policies for vulnerability disclosures to any external entity that wants to report a security or privacy issue, says Pete Lindstrom, vice president of security research with IDC. Spell out the organization’s expectations for how to report vulnerabilities in a responsible manner and provide an email address, phone number, or other way in which an external party can report a security or privacy concern.

Explain how the report or the information will be handled, investigated, and resolved. Let them know how quickly or how long it might take to vet and resolve the issue, so they know the information has not been ignored. Convey to the third party the organization’s policies for compensating or acknowledging them for their information—if you have one. If not, ensure that the third party knows there will be no compensation for the information, Lindstrom notes.

“Managing the expectation of the third party is going to be crucial to your success and your reputation,” Lindstrom says. “Public-acing actors are not operating on your timeline,” he says. So, it’s important they know exactly what to expect when they contact the organization with a security or privacy tip.

Scott Crawford, research director, information security at S&P Global Market Intelligence, advises that organizations take advantage of guidance such as that contained in the ISO/IEC 30111 standard to craft their vulnerability handling practices. Such standards can provide guidance on how to establish rules of engagement when dealing with third-party vulnerability disclosures including rules around acceptable disclosures and exceptions, he says.

2. Put an internal vulnerability management program in place

Regardless of whether you expect to receive security intelligence from an external source, it’s always a good idea to have a formal application security and vulnerability management program in place internally, Lindstrom says. It’s important for organizations to implement best practices such as regular vulnerability scanning and prompt security patching to reduce risk and also the likelihood of external parties finding and reporting vulnerabilities in the first place. “You should be actively seeking to make this an important part of your security program,” he says. “You need to get your act together internally before you can start thinking about engaging with outside researchers.”

“Additionally, it’s good practice for organizations to perform dry runs on example scenarios that may be product specific all the way to involving the executive team and legal counsel depending,” says Hellickson. “Tabletop exercises also are a great source of security awareness education as well.”

3. Include a mechanism for responding to external tips in your incident management process

Make sure your incident management team has a plan for responding to security disclosures from external entities such as bug hunters, business partners, law enforcement, or customers. Just as an enterprise incident handling team has processes for responding to alerts received from internal security tools, computing systems, network sensors, and other sources, they need to have one for investigating and responding to security intelligence from an outside source, says Hellickson. “Every incident handling and response process should have a clearly defined process to prioritize, vet, and triage any given source of intelligence to the point of resolution.”

The process should have defined escalation procedures built in, where team members are identified ahead of time for their role and duties for such incidents, Hellickson says. Given the abundance of cyberattacks, every organization should have a defined incident handing and response plan that details the step-by-step process for receiving information about a possible incident and for triaging it appropriately.

Incident management teams need to be ready to drop everything if needed to respond to a vulnerability disclosure in production code, says Kevin Dunne, president at Pathlock. “Left unresolved, these vulnerabilities will often be sold on the black market and can be exploited if not remedied quickly.”

4. Be prepared to involve multiple stakeholders 

The IT or the security organization has to be in charge of the mailbox or phone number that receives tips from an external source. They are also in the best position to investigate and remediate any reported issues. However, it’s important to have a plan in place to quickly include members from other groups across the enterprise if needed. That’s because there’s no telling how events might play out when engaging with an external security researcher or bug hunter, Lindstrom says.

For example, it is possible that a researcher might want to be compensated for disclosing a vulnerability—especially if an organization has no clearly defined policy for handling such disclosures. In such a situation, the security team might need to have someone from the legal department on hand to negotiate with the researcher. Vulnerability disclosures that are not handled with care can hurt an organization’s reputation and brand, so having members from the communication and marketing team can be useful, Lindstrom says. “There are a lot of moving parts, when it comes to handling vulnerability disclosures,” he says. “A lot of the risk revolves around the communication and reputation aspect of the whole thing.”

5. Consider signing up for a managed vulnerability coordination/bug bounty program

Large organizations and those with a major public profile should consider signing up with organizations such as HackerOne and BugCrowd that coordinate vulnerability disclosures. Such programs offer external parties a place for reporting vulnerability discoveries or privacy breaches in a responsible manner.

Vulnerability disclosure programs offer organizations a great way to outsource the whole issue, Crawford from S&P Global Intelligence says. While such programs do not eliminate the need for a well-defined internal incident response capability, they can help handle all of the initial processes around receiving and responding to external vulnerability researchers and communicating with them. The programs offer third-party researchers and bug hunters a structured way to find bugs in an organization’s applications and service in a manner that minimizes risk to the organizations, he says.

Many companies today solicit information from independent third-party researchers by way of published bug bounty or vulnerability programs says Dunne. “The companies that can solicit information the most easily are usually those that have one or more consumer-facing services. So, industries like hospitality, retail, travel, and consumer finance often have the strongest programs,” he says.

“Organizations who receive unsolicited intelligence from third-party researchers, but don’t have a process for formally acknowledging it, should strongly consider putting one in place,” Dunne says. Even if your organization doesn’t provide a bounty for identified exploits and vulnerabilities, it is a good idea to have a plan for responding and acknowledging disclosures and for communicating remediation plans to researchers and customers alike. “When exploits are reported but nothing is done, it is bad for the business,” he says. “Failing to acknowledge exploits essentially communicates that the organization is not taking security seriously, and it doesn’t value its customers’ data.” 

6. Clearly define scope when soliciting threat intelligence

Companies that contract with a vulnerability disclosure program or solicit intelligence from independent researchers and bug hunters should carefully think through several critical issues, Dunne says. For example, they need to decide if they want to make the program public to everyone or only to selected researchers. They have to identify the types of security issues or privacy issues they are most interested in uncovering. They need to have a plan in advance for testing a reported security issue. “Will the testing be done in the production environment? Or in a separate clone of production which is maintained for researchers?” he says.

Similarly, they have to decide in advance if they are willing to offer a reward or other compensation for a vulnerability disclosure and whether that reward will be a flat fee or will scale based on the severity of an issue. “Is it more than the researcher might get by selling it on the black market?”