Responsible Disclosure - Reporting Vulnerabilities Ethically

About 2 min read

Responsible disclosure is a process in which, upon discovering a vulnerability in software or a service, the finder first notifies the vendor privately and publishes the information only after a fix patch has been provided. This framework, in which the finder and the vendor cooperate to address the vulnerability, is widely accepted in today's security community as a balanced approach that protects users from attacks while also ensuring the transparency of security research.

The Difference from Full Disclosure

There are broadly three positions on vulnerability disclosure policy, each based on a different philosophy.

The full disclosure movement of the early 2000s arose as a backlash against the problem of vendors ignoring vulnerability reports. However, the risk of attack code being published while no patch is available is great, so responsible disclosure is the mainstream today. In 2010, Microsoft proposed the term "Coordinated Vulnerability Disclosure (CVD)," emphasizing cooperation between finders and vendors.

A Typical Timeline and the 90-Day Rule

The "90-day rule" established by Google Project Zero in 2014 has taken hold as the industry-standard disclosure deadline. It is a policy of publishing vulnerability information once 90 days have passed since notifying the vendor, regardless of whether a patch exists. This deadline curbs vendors' incentive to postpone their response. In fact, Google Project Zero has disclosed vulnerabilities in Microsoft and Apple products after the deadline passed, prompting major vendors to improve their patch management systems.

The Relationship with Bug Bounties

Bug bounty programs are a mechanism that financially incentivizes responsible disclosure. When a finder reports a vulnerability to a vendor, a reward is paid according to its severity. Platforms such as HackerOne and Bugcrowd act as intermediaries, providing report templates, assistance with obtaining CVE numbers, and a framework of legal protection. In open-source security audits, too, the coordination between bug bounties and responsible disclosure is an important theme.

Legal Risk and Safe Harbor

Discovering and reporting vulnerabilities carries legal risk. Even a well-intentioned researcher may run afoul of laws such as the Unauthorized Computer Access Act (Japan), the CFAA (United States), and the Computer Misuse Act (United Kingdom). To mitigate this problem, many companies include a "safe harbor clause" in their security policies. A safe harbor clause explicitly states that no legal action will be taken against researchers who report vulnerabilities in accordance with the policy.

In the United States, in 2022 the Department of Justice revised its CFAA enforcement policy, indicating that good-faith security research would be excluded from prosecution. The EU's NIS2 Directive also requires member states to establish a framework for coordinated vulnerability disclosure. In Japan, however, the legislation of safe harbor has not advanced, and the IPA (Information-technology Promotion Agency) vulnerability reporting scheme serves as the de facto channel. The startup security checklist also introduces the steps for drafting a disclosure policy.

A Common Misconception

The idea that "you should publish a vulnerability on social media as soon as you find it" is dangerous. Publication while no patch exists gives attackers an opportunity to exploit it. Furthermore, the act of investigating someone else's system without authorization for a penetration test can itself be illegal. As discussed in the article on supply chain attacks, handling vulnerability information properly is also important for preventing a chain of attacks.

security books on Amazon is also a good place to look.