Vulnerability Disclosures

The current generation of technology and tools doesn’t make us any more secure. It just allows us to fail faster and with greater impact.

Security is fortunately well-known in computer science nowadays but it’s an ongoing process to keep things secure. New research in computer science means we who do security research have to catch up.

My Work

The work I do normally falls under NDA and we work together with our clients to help them – or help their vendor – resolve any issues. Usually it culminates in an upgrade to the SaaS service, or a security update and an advisory.

The disclosures posted here on my blog stem from my own research, which can either be deliberate or accidental.

Mindset

I believe we who are able should try to contribute to making the internet more secure. We should expect that all computer systems are hackable, it’s just a matter of when – not if.

If you notice something out of place in your day-to-day life, you’d probably get in touch with whomever it concerns. Your neighbour left their keys in the front door, a local office building has a window open in the evening, etc. I believe we should do the same in the digital realm.

Responsibility and Ethics

The request-response nature of networked services blurs the line between being a good Samaritan and attacking someone else’s system. In the end, it comes down to why a researcher is looking at something, and how they go about doing it.

For identified weaknesses and vulnerabilities, I firmly believe that the security of end users and their data is most important. Because of this, it is important that the operator, vendor, or maintainer are notified and allowed to resolve the issue.

Working to help increase security is just that – help. It’s never about shaming or placing blame.

Why Disclose?

Public disclosure serves two purposes:

  1. It forces the party responsible to take action within a reasonable time frame.
  2. It informs the public about the issue, allowing them to take immediate action.

The obvious downside is that the disclosure also informs threat actors. Immediate public disclosure is therefore unlikely to help the end users unless the vulnerability is already known.

Disclosures