This piece is written for the Responsible Disclosure Initiative of the Cyber Defence Research Center, Special Branch, Jharkhand Police (http://cdrc.jhpolice.gov.in/responsible-disclosure-submission/)
Responsible Disclosure is a concept alien to our country. We should not just talk about our country, but we should say it is alien to the world. And the world is just waking up to it.
There are bound to be many questions - both for and against and again there is only one simple action required by all - change your thinking to align with the new age of technology and the internet.
One must remember that every action in the realm of the internet is not necessarily covered by law, as it stands. Nor is it understood by the law or lawmakers. Time and again we are distressed by the shortcomings of existing laws like the new IT Act. Over the past few years we have witnessed a number of instances of ethical researchers venting their frustration in the face of inaction by vulnerable organizations. Their frustration and that of the community is compounded when these organizations have taken retaliatory action against the researcher, at times unlawful in nature.
Unfortunately the researcher has not been able to stand up for his/her rights and bears punishment for doing a good deed. Things can go horribly wrong and a good white hat may decide to cross over and become a black-hat. No prizes for guessing the first target !
It is important to harness the skills of the researcher and bring the advantage to lawful use. It is important to bring the knowledge to the organization that is researched and that they remediate the reported vulnerabilities and gain commercial through fees saved. It is important that this unsolicited research activity is recognized as another internet phenomenon and as a technical whistleblowing activity so a proper platform is provided, which will suit the sensibilities of the brick-and-mortar world.
Such a platform is termed "Responsible Disclosure" and like all internet and technology activities, there are unwritten rules and rules for engagement. This piece will try to collate some rules that will govern responsible disclosure transactions (or activities) in terms of the engagement etiquette and expectations.
There are usually three parties involved in a RD transaction:
1. The 'DISCLOSER' is the person or entity who discovers a vulnerability in someone's IT infrastructure, website, or application.
2. The 'DISCLOSEE' is the entity or organization who owns, or is responsible for, the IT infrastructure, website or application in which the vulnerability was discovered.
3. The Responsible Disclosure "Host Facility" provider who acts as the "escrow" between the discloser and disclosee and is the custodian for the rights and security of both parties.
An RD transaction requires both discloser and disclosee to be responsible in their approach. There has to be mutual respect for each other - the discloser must respect the confidentiality and the business interests of the disclosee; and the disclosee must recognize and respect the skills and ethical behavior of the discloser.
Once these grounds are set, it is important to keep a number of other points in mind that will govern the activity and the conduct of all concerned parties.
FOR THE DISCLOSEE
- do not consider a disclosure to be an attempt to insult you or your organization, or to harass you in any manner.
- accept the vulnerability information maturely and accept the presence of the vulnerability in your systems.
- respect the skill of the person who discovered the vulnerability
- recognize and accept the fact that there were some errors / weaknesses that were overlooked and are being brought to your notice by some well meaning person(s).
- ask for help from the same person(s) if your team does not have the expertise or skills to remediate the weakness.
- accept that the discloser is ethical and has come forward to share the information with you.
- understand that the discloser has not taken advantage and exploited the vulnerability.
- finally be happy that you saved a considerable amount of money which you would have spent on conducting a vulnerability assessment / penetration test on your systems or infrastructure. Also that you can offer the researcher a job as you would be hiring someone with proven skills (and you can save on hiring costs too).
FOR THE DISCLOSER
- do not assume that the disclosee organization is staffed by ignorant people just because you were able to discover a vulnerability.
- do not carry out a destructive test on any site that you are researching.
- make sure your POC document lists every step and test that you have carried out.
- provide remediation suggestions for the vulnerabilities which you have discovered.
- never take the high ground just because you may be more intelligent than others - remember there are others in the world who are better.
- prepare a nice POC in a professional, dispassionate manner so that the receiving organization is blown away by your work.
- if the disclosee organization asks to meet you make sure that they indemnify you from any action before you permit the RD Host to disclose your identity.
Seek help from the RD Host to prepare the necessary legal indemnity document before exposing yourself. This is a precautionary measure as in the event of a lawsuit you are on your own !
- if the disclosee organization requests you to help close the vulnerabilities the request will come through the RD Host. First take precautions as indicated above and then offer your services if you have the time... do not forget to charge them now as you have done enough free service!
- if the disclosee organization offers you a job ... all the best !
THE RESPONSIBLE DISCLOSURE HOST (RD Host)
It is also essential for an atmosphere of trust to exist between the discloser and disclosee. However, as both parties may not be known to each other it will be difficult to establish a trust relation in view of sensitive nature of the information being exchanged. As such, the introduction of an escrow service can facilitate a trust relationship which will make it easy for the transaction to take place. This escrow can be termed as an "RD Host" organization and the following points will be relevant to the operation and functions:
- the RD Host should (preferably) be a part of a law enforcement agency or supported by one.
- the hosting organization will ensure that the information is shared with the disclosee in the manner which was requested at the time of submission.
- a professional POC submitted will bring pride to the hosting organization as it will be recognized as an organization which has been able to disseminate a sense of ethics and responsibility to supporters.
- will carry out the responsibility of disclosure in a lawful and discreet manner and will provide assistance to both discloser and disclosee as needed.
- assistance to discloser may be in the form of help to close the vulnerabilities.
- assistance to disclosee may be in the form of protection against identity disclosure or against unlawful action by affected party/parties.
- handhold the discloser in event of introducing to the disclosee as indicated above.
Labels: responsible disclosure, vulnerabilities, vulnerability disclosure