Vulnerabilities in widely used software and hardware can cause immense societal harm across the globe. Economic incentives play a key role in whether users, vendors, finders and coordinators disclose vulnerabilities once they have been discovered.
National governments should adopt a coordinated vulnerability disclosure policy and begin a discussion of how to best approach a government disclosure decisions process.
Background
Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware, or services that can be exploited. In recent years, there have been numerous high-profile vulnerabilities disclosed or exploited that have incurred significant economic and societal costs. While some of these disclosures have been done so responsibly, other vulnerabilities have come to light only after substantial cyber attacks.
The various actors within a vulnerability disclosure process are subject to a range of economic considerations and incentives that may influence their behaviour. These economic aspects are often overlooked and poorly understood, however they may help explain why some vulnerabilities are disclosed responsibly while others are not.
Goals
The European Union Agency for Network and Information Security (ENISA) commissioned this study as part of a follow up on the 2015 Good Practice Guide on Vulnerability Disclosure, to better understand the economics of vulnerability disclosure by providing a glimpse into the costs, incentives and impact related to discovering and disclosing vulnerabilities.
Methodology
The study was carried out through a mixed-methods approach comprising desk research, literature review and key informant interviews. The review of the available literature included academic research, technical reports, company publications, media articles and blogs, while a total of 13 interviews were carried out with experts from the vulnerability disclosure community.
Findings
Economic incentives play a key role in vulnerability disclosure across all actors and processes, regardless of what type of vulnerability disclosure process is ultimately pursued.
Economic decisions taken in the vulnerability disclosure process largely depend on the particular incentives perceived by each actor at different stages of the process. There are four main actor groups within the vulnerability disclosure process: Users, Vendors, Finders and Coordinators. There are also several possible vulnerability disclosure options that actors can engage in, including full, limited, or non-disclosure, which further influence the types of economic considerations and incentives that are present. Vulnerability disclosure actors are subject to economic incentives and motivations that may influence their behaviour at the individual and organisational level, as well as at the structural and normative levels.
Vulnerabilities in widely used software and hardware can cause immense societal harm across the globe.
It is necessary to have processes in place to adequately identify, report and mitigate vulnerabilities. As the potential risk is so severe, vendors that develop or manufacture products or services for the Internet or the global ICT ecosystem may soon require the ability to receive good-faith vulnerability reports from the community.
Recommendations
Vulnerability disclosure should be approached as an ecosystem.
National governments should adopt a coordinated vulnerability disclosure (CVD) policy and begin a discussion of how to best approach a government disclosure decisions process.
The CVD process relies on a finder, vendor and sometimes a coordinator, the relationship between which largely determines the success of CVD. A number of tools and enablers can help each actor to recognise the importance of setting up and running mutually beneficial structures that enable CVD, including:
Awareness and capacity building, to help actors to understand the economic incentives and behaviour of other parties involved in CVD.
Providing actors with resources, good practice and voluntary standards, to help promote mutually beneficial and standardised behaviour.
Communication skills, to help finders and vendors constructively engage with each other in a timely fashion and a shared language.
More empirical data is needed in this emerging area of research.
The study also reaffirmed that the economics of vulnerability disclosure is an emerging area of research, with a clear need for additional empirical data and relevant research in a number of areas, including:
The motivations of finders to better understand why certain security researchers work to identify and report vulnerabilities, even in the absence of financial compensation.
How to better quantify the cost of the exploitation of vulnerabilities to inform discussions on liability, insurance and other structural levers.
The cost of implementing and running vulnerability disclosure programmes to help organisations make better informed decisions about security investments and trade-offs between different types of security interventions.
Quantification of security gains through vulnerability disclosure to better understand the value that vulnerability disclosure programmes bring.
The cost of developing and implementing patches to understand the economic costs associated with vulnerabilities beyond costs accrued due to their exploitation.