The Pains Of Vulnerability Coordination – And What To Learn From It

Jun 6, 2019 10:00 pm Cyber Security 255

Some of the members of our Risk Based Security Vulnerability Research Team have been discovering and coordinating vulnerabilities for almost 20 years. Coordinating vulnerabilities can be painful at times, even if things overall have improved, especially when coordinating vulnerabilities with companies from the USA and most parts of the EU. These difficulties can be compounded when the discovered vulnerabilities are in products from vendors from other parts of the world, even when reporting them through a government agency specifically set up to handle them.

Two weeks ago, we disclosed 40 critical vulnerabilities in ActiveX controls from South Korea. Most of these could easily have been exploited in 0-day attacks similar to many of those historically attributed to North Korea in past years. Since the vulnerabilities were in ActiveX controls from many different vendors, we coordinated our findings through KrCERT/CC, part of the Korea Internet & Security Agency (KISA).

We wanted to share some of the difficulties we recently ran into, and some key learnings for companies and government entities dealing with vulnerability researchers.

Have at least one team member proficient in English The very first hurdle was the language barrier, although we did manage to get by in English. PSIRT teams, and those in similar roles, who are the contact point for vulnerability researchers, should always be proficient in English regardless of where they’re located in the world. The vast majority of vulnerability researchers will be contacting you in English.

Be responsive and provide clear status updates on a regular basis Overall KISA was pretty fast at responding, but we did get the impression that they were not used to dealing with vulnerability researchers from abroad. We had to ask for status updates and be ..

Support the originator by clicking the read the rest link below.