I Am The Cavalry Position on Disclosure
Those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk.
All systems fail. There is no system without flaw. Flaws with the potential to inflict harm make products – and the people that rely on them – vulnerable to accidents and adversaries. Researchers seek to find these vulnerabilities so we can fix them and improve safety.
Unknown flaws represent potential harm. Finding and revealing them makes both adversaries and defenders aware. During the time between finding and fixing the vulnerability there may be a temporary adversary advantage. Defenders can address both the vulnerability itself and the practice that led to the flaw, giving them a permanent advantage.
All due care should be taken to reduce the time window, degree and impact from this exposure. This necessitates coordination among researchers, affected parties and other stakeholders. The ideal state is one in which affected systems are no longer vulnerable by the time the flaw is known to adversaries. This process of finding, reporting and fixing vulnerabilities increases safety.
Why security research is necessary
We believe the following:
- Our dependence on technology is growing faster than our ability to secure it.
- This dependence now extends to systems that can affect public safety and human life.
- All systems contain flaws – technology systems are no different.
- Flaws which carry potential risk of harm leave us vulnerable to adversaries and accidents.
- Security research should seek to find and disclose flaws in a way that reduces harm.
- Manufacturers and researchers should work in good faith as colleagues.
I Am The Cavalry encourages researchers to
Act in good faith to reduce potential for harm. The goal of coordination is to improve safety and reduce adversarial advantage. Acting in good faith with the affected stakeholders demonstrates the validity of security research to accomplish this goal for the public good.
Engage each stakeholder on their level. Different stakeholders operate and respond in different ways, given their experience and level of maturity. Using established terms and methods reduces time, effort and potential negative outcomes.
Understand safety benefits within context. Some products and features have inherent safety benefits that outweigh potential impact from vulnerabilities. Attempts to close vulnerabilities may lead to reduced overall contribution to safety if timeliness, cost, availability or other attributes are negatively affected.
I Am The Cavalry encourages manufacturers to
Embrace researchers who act in good faith. Research efforts can reduce the number and severity of vulnerabilities, and can lead to improved processes and products. This benefit can only be realized if manufacturers avail themselves of the resources provided. Value from researcher-manufacturer collaborations has led to manufacturers incentivizing research via recognition and reward programs.
Distinguish true adversaries from willing allies. While talented and persistent adversaries seek to harm, talented and persistent protectors seek to safeguard. Distinguishing between malicious attack and good faith effort allows manufacturers to discourage one and derive value from the other. Threat of reprisal against any vulnerability research damages trust relationships among stakeholders and deprives us all of safer outcomes.
Commit to engaging with the research community. Aligning to accepted and customary practices for vulnerability handling, such as international standards, reduces time, cost and potential negative impacts to all stakeholders. Publishing and following policies on terms, methods and outcomes of coordinated disclosure builds trust. Recognition and reward programs incentivize collaboration for mutual benefit.
I Am The Cavalry encourages the public and affected stakeholders to
Stay aware and informed of product safety. Where information is available about safety records, features and research, use this in your decision criteria. Understand safety in the broad context, considering costs and risks alongside benefits and features. Engage other affected parties to understand their positions and requirements.
Advocate for safety. Use purchasing power to shape decision-making and execution in manufacturing. Where vulnerabilities pose safety risks encourage research and disclosure to improve safety and build trust. Ask questions of manufacturers and vendors to understand what has been done to research safety vulnerabilities and how manufacturers are engaging the research community to benefit public good.
A Long View
While it is necessary and important to find and fix security vulnerabilities in these safety contexts, we must also seek to improve the way we design, test, and deploy these technologies. It is good to identify and remove one flaw in one device from one manufacturer. It is better to change to technology lifecycle toward more safe and defensible choices. It is best to align incentives to promote rapid development of inexpensive technologies with few side effects.
As such, I Am The Cavalry seeks to support efforts which discover and remediate safety issues in these technologies through education, awareness, and building collegial relationships between researchers and affected manufacturers and industries.
(Adapted from the NTIA Early Stage Template for Coordinated Vulnerability Disclosure)
Safety-critical systems (such as medical devices, cars, and those in public infrastructure) are increasingly dependent on software, and therefore increasingly subject to software security issues. Coordinated vulnerability disclosure directs energy and attention into improving the safety and security of systems and software for the overall population. Compared with traditional IT systems, manufacturers of safety-critical systems have a higher consequence of failure and relatively less experience with vulnerability disclosure. High trust, high collaboration interactions come from understanding mutual expectations and perspectives.
Vulnerability disclosure and remediation in cyber safety contexts should be handled with both due haste and due care. Remediation urgency can preserve safety, life, and trust; at the same time, validation and verification avoid unintended consequences, which can increase risk. Decisions considered insecure for a web application may be appropriate for an implanted medical device. Any hard deadline for disclosure or remediation may both be too long and too short to safely address security vulnerabilities in safety-critical systems.
Third-Party Vulnerability Coordinators
- CERT/CC – Part of the a non-profit Software Engineering Institute (SEI).
- US-CERT or ICS-CERT – The US government’s incident handling and vulnerability coordination organizations.
- FDA – The US regulator for medical devices. To report a vulnerability email AskMedCyberWorkshop@fda.hhs.gov
- Bug Crowd, HackerOne, SynAck – Companies that run disclosure programs for other organizations, and may help coordinate with organizations not on their platform.
Coordinated Vulnerability Disclosure guidance for companies
- US Department of Commerce, NTIA template and guidance document for vulnerability disclosure in safety critical systems.
- ISO/IEC 29147 Standard for Vulnerability Disclosure (free download)
- ISO/IEC 30111 Standard for Vulnerability Handling Processes
- US Department of Justice Framework for Vulnerability Disclosure for Online Systems
- Computer Emergency Response Team (CERT) Guide to Coordinated Vulnerability Disclosure
- Google Vulnerability Disclosure Philosophy
- Microsoft Coordinated Vulnerability Disclosure policy
Comments and questions should be sent to info [at] iamthecavalry.org
- 2014, June 25 – First Publication
- 2018, July 30 – References Updated
- 2018, August 24 – References Updated
- 2019, August 24 – Note on Safety-Critical Systems Added