[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (3) by Lorenzo Pupillo
•
0 likes•32 views
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
Report
Share
More Related Content
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (3) by Lorenzo Pupillo
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (3) by Lorenzo Pupillo (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (20)
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (3) by Lorenzo Pupillo
- 1. Coordinated Vulnerability Disclosure Policies in the EU Code Blue Security Conference, Tokyo 27-28 October 2022 Lorenzo Pupillo, Associate Senior Research Fellow and Head of the Cybersecurity@CEPS Inititiative, CEPS, Brussels
- 2. ENISA Study 2021 ENISA: Project Officers • Marnix Dekker • Evangelos Kantas • Slawomir Bryska CEPS: Research Team • Lorenzo Pupillo • Carolina Polito • Francesco Campoli Wavestone Research Team • Nick Conway • Aude Thirriot • Thiago Barbizan • Solène Drugeot • Cristian Michael Tracci
- 3. Agenda Current state of play of CVD policies • State of play in the EU Member States • State of play in non-EU countries Key findings on CVD national policies • Level of criticality of the vulnerability treatment and CVD processes • Good practices on CVD policy and elements of a CVD process Overview of challenges and issues on CVD national policies • Challenges and issues related to CVD policies • Suggestions on how to overcome CVD policy challenges shared by interviewees
- 4. CURRENT STATE OF PLAY OF CVD POLICIES
- 5. State of play in the EU Member States (1/3) While evolving in a fragmented EU environment, multiple EU Member States are making steps forward in the development of national CVD policies but at different paces. • Belgium, France, Lithuania, and the Netherlands have implemented CVD policies. • 4 Member States are on the point of implementing a policy: the proposal is either being examined at the level of policymakers or is currently tested in Pilot Projects.
- 6. State of play in the EU Member States (2/3) • 10 Member States are in the process of implementing a national CVD policy. However, failure in reaching consensus at the political or legislative level hampered such a process. • Finally, 9 Member States has not implemented a CVD policy and the process for establishing one has not yet started.
- 7. State of play in the EU Member States (3/3) While evolving in a fragmented EU environment, multiple EU Member States are making steps forward in the development of national CVD policies but at different paces. Implementation of CVD policy at national level in Europe
- 8. KEY FINDINGS ON CVD NATIONAL POLICIES
- 9. Level of criticality of the vulnerability treatment LIFECYCLE and CVD processes • Discovery: to reduce a vulnerability’s harmfulness, someone has to discover it in the first place. • Handling: If the vulnerability is in a product’s code (code vulnerability), the ‘code owner’ needs to develop mitigation and distribute it to all users (‘vulnerability handling’). • Management: if the vulnerability is a misconfiguration or unapplied mitigation (often a patch) in an information system (system vulnerability), the ‘system owner’ needs to manage it, i.e., apply the patch or change the system or product configuration as soon as possible. • Disclosure: In most cases, code vulnerability information needs to be disclosed publicly or at least to the security community or targeted audiences 9
- 10. GOOD PRACTICES ON CVD POLICY AND ELEMENTS OF A CVD PROCESS Content of a CVD Policy • The CVD policy shall contain a description of the mutual obligations of the involved parties, namely: • Authorization to Access the Computer System (Proportionality) • Information required to report a vulnerability • Confidentiality • Procedural deadlines (within 90 days) • Communication channels • Reward to Security researchers • Public disclosure
- 11. GOOD PRACTICES ON CVD POLICY AND ELEMENTS OF A CVD PROCESS Member States have highlighted a series of procedures they have implemented that should be regarded as best practices: • References to two standards: ISO/IEC 2914741 (disclosing vulnerability) and ISO/IEC 3011142 (processing procedures for the reported vulnerability • Bottom-up Approach (The Netherlands) • Talk to the vendors • Familiarise with the ethical hackers community • Insulate the information • Implement the OECD’s recommendations/good practices • Adopt the Common Security Advisory Framework
- 12. ZOOMING on SOME Elements of CVD processes • Entities involved: role of the national CERT and/or the National Cybersecurity Authority: (observer or central role ) • Tools: dedicated website, implementation of ticketing systems, custom tools (Cuckoo Sandbox), validation tools (Burp suite), warning and information systems (Common Security Advisory Framework), communication tools especially in multiparty processes, find vulnerabilities through opensource intelligence software • Awareness raising campaigns: Lithuania: Cybersec Breakfast; The Netherlands: Hack right • Operational and crisis management activities
- 13. OVERVIEW OF CHALLENGES AND ISSUES ON CVDNATIONAL POLICIES
- 14. CHALLENGES AND ISSUES RELATED TO CVD POLICIES Overview of the challenges
- 15. LEGAL CHALLENGES • Criminal law: According to the Cybercrime Convention, intentionally accessing a computer system without rights is a criminal offence. • Copyright law: Researchers can breach copyright law when the information disclosed entails portions of copyrighted code. The vulnerability owners can establish exemptions, enabling the possibility of safe harbours • Data protection law: Researchers, discovering vulnerabilities may access personal data which could be interpreted as a breach of data protection law. • Contract Law: Bug bounty policies and in some cases vulnerability disclosure policies represent the terms of a contract between the vulnerability owner and the researcher. Breaching the terms of the contract entails legal liability and risks for the researcher, • Export control legislation and regulation are often cited as a legal risk for researchers as they may apply to tools and knowledge used to discover vulnerabilities
- 16. Other CHALLENGES Economic Challenges Political challenges • Vulnerabilities and software market dynamics • Lack of cooperation among stakeholders • Limited market incentives for security researchers to participate in CVD programs • Most security researchers are activists not professionals employed by private companies • Lack of resources and skills to implement CVD polices • Cost of implementation and operation of CVD policies are considered as relatively less impactful • Top Down or Bottom-up Approach • The role of Government • Updating imperfect cybercrime and Intellectual Property frameworks • Support and enable CVD policies • Leading by example in establishing CVD policies (adapting CVD within the government, etc..) • The role of the private sector • Leader or follower?
- 17. Overcome the challenges Overcome the Legal Challenges • Two questions relating to the link of vulnerabilities discovery and criminal offence: • Circumstances under which finding vulnerabilities may be associated with criminal offense (substantial). • Conditions to be met for any crimes associated with finding vulnerabilities to be prosecuted (procedural). • Since according to the Budapest Convention only the ‘unauthorised access should be considered as criminal offence’, computer system owners can authorise access through the publication of a CVD policy; EU countries could implement CVD policies that will offer a limited liability waiver to security researchers. • Since Criminal Law is a prerogative of Member States , they could amend their criminal law to create the legal certainty for security researchers. • The EU could amend the 2013/40/EU Cybercrime Directive to offer legal certainty to security researchers. • The protection of security researchers could also be achieved by recognising the status of whistle-blower in the sense of Directive 2019/1937. • It would be helpful to define the role of ethical hackers: a law could be drafted defining ad-hoc criteria.
- 18. Overcome the challenges • Overcome the economic challenges • Promote appropriate policies aimed at encouraging security researchers to actively participate in CVD programmes • Specific role for bug bounty programmes: should the EU set up a program or rather harmonise regulation an practices across the EU Member States? • Support to research programmes to foster CVD policies among public and private researchers in Europe (Digital Europe Programme and Horizon Europe) • The EU should make available funding and programmes to train people and make viable the development of CVD policies in the EU • Overcome the political challenges • Top Down or Bottom-up Approach: An EU approach could take the form of a common model of CVD at the EU level, promoting coordination at the EU and international level. • The role of Government: • Updating cybercrime and intellectual property frameworks to better protect security researchers, for example through ‘safe harbours’, • Leading by example in the establishment of a CVD policy (e.g., CVD within the government, etc.) • The role of the private sector: • Private entities should not wait for government policy interventions and define CVD polices to publish on the organisation’s website.
- 19. CVD in NIS 2 • The Directive also establishes a framework for Coordinated Vulnerability Disclosure and requires Member States to designate CSIRTs to act as trusted intermediaries and facilitate the interaction between the reporting entities and the manufacturers or providers of ICT products and ICT services. ENISA is required to develop and maintain a European vulnerability registry for the discovered vulnerabilities.
- 21. 1 Place du Congres, 1000 Brussels Tel: (+32 2)229 39 11 info@ceps.eu Thank You! @CEPS_ThinkTank