Application Security , Endpoint Security , Fraud Management & Cybercrime

Bug-Reporting Blues: The Vulnerability Disclosure Challenge

Daniel Cuthbert Analyzes Frequent Coordinated Disclosure Hurdles Facing Researchers
Daniel Cuthbert, security researcher

One recurring information security challenge is the process of vulnerability disclosure. When security researchers, often acting independently, find flaws in software, hardware or services, they can face numerous hurdles in trying to hand off their vulnerability report to someone in a position to get the bugs fixed.

See Also: Close the Gapz in Your Security Strategy

Longtime information security researcher Daniel Cuthbert notes that lately, the COVID-19 pandemic has driven more people to rely on online tools - for everything from holding work meetings to ordering groceries. And that has motiviated some security researchers to take a closer look at these tools as a result of bug-bounty programs that will pay them for reports (see: So You Want to Build a Vulnerability Disclosure Program?).

Cuthbert says it's only natural that many more bugs keep coming to light. "Writing secure software is hard. It's not as simple as people think," he says. "There's way more information than when I started about how to find bugs, and you know all the rage now is bug-bounty hunters and bug bounties. Everyone is excited, like, 'I want to be a hacker!' And so they're finding bugs, and that's why … we're now hearing about, 'Oh my god, how do you report these bugs? This company wants to sue me. Why are you doing this?'"

In this video interview with Information Security Media Group, Cuthbert also discusses:

  • Why some organizations and industries respond unfavorably to bug reports or don't understand how to engage with vulnerability disclosure;
  • How structured security testing, pen testing and bug bounty programs differ and why each can be essential;
  • How organizations can improve handling of bug reports and how the proposed security.txt standard could help.

Cuthbert is a longtime security researcher, member of the Black Hat Review Board, founding member of the Open Source Foundation for Application Security and co-author of the OWASP Application Security Verification Standard.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.