Microphones from news agencies at a press conference showing responsible disclosure for data breach

Full Disclosure Is the Right Thing To Do. Full Stop.

Security incidents happen; that’s just reality. But how a company decides to handle an event says more about their values and priorities than their product. The recent Okta compromise, which came to light in March, reminds us of the damage inflicted when there is a lack of transparency between a security vendor and its customers. I won’t re-hash what’s already been said about customers not being notified right away; there is little to be gained with yet another article about Okta.

However, it’s disappointing that there are plenty of examples of companies choosing to go down the same path.

As a security industry, I feel that we need to focus more on the concept of “full disclosure”. Transparency and disclosure separates vendors who care about security from those that only care about near-term profits. This topic is so important that a May 2021 White House Executive Order on Improving the Nation’s Cybersecurity called for transparency from software developers and suppliers, including providing a purchaser a software bill of materials (SBOM) and participating in a vulnerability disclosure program that includes a reporting and disclosure process.

Full disclosure is an age-old concept, but the increase of bug bounty programs has contributed to the death of that practice. The premise behind companies’ bug bounty programs is to attract researchers to help them better secure their products. These programs are so popular that some of the largest technology companies pay researchers millions of dollars every year in return for their findings. Sounds admirable, right? Unfortunately, the unintended consequence is that vendors can tie up researchers with non-disclosure agreements that allow the vendor to expose or patch the vulnerabilities on their own timeline – if they patch it at all. Of course, vulnerabilities shouldn’t be made public without the researcher giving the vendor enough time to respond and mitigate. Full disclosure can also be responsible disclosure.

When it comes to responsible disclosure in the case of a compromise or a breach, for at least the critical early stages or during discovery and mitigation, a full public disclosure is not appropriate because mitigations or patches are often not available at that time. Full public disclosure without being ready to address the issue can elevate the risk. However, notifying customers, or at the very least customers that are suspected of being directly impacted, should be the norm. The risk of brand damage shouldn’t outweigh the responsibility a vendor, especially a security vendor, has to its customers.

Security vendors of every ilk enter into a relationship with their customers. The foundation of this relationship is the implicit trust that the vendor will look out for its customers. Arming customers with as much information as possible, as early as possible, is paramount; even if the scope decreases as that information solidifies into facts. In other words, it’s better to cast a slightly wider net to get the information out to customers quickly.

The average time to discovery of a compromise continues to rise. In 2021 the average time to identify a breach was 212 days, up from 207 days in 2020. Disclosure of supply chain compromise to customers can provide the thread, that when pulled, could help greatly reduce the cascading time to discovery for each individual customer. At the very least, it can help prevent the chaos caused by everyone finding out at the same time when the threat actor posts bragging comments on social media, and the subsequent, more damaging impact to the vendor’s reputation.

#Cybersecurity vendors should adopt a standard for prompt, transparent and responsible disclosure of compromises to honor that implicit trust relationship entered into with customers. #respectdataClick to Tweet

I call on all my fellow InfoSec and cybersecurity vendors to adopt a standard for prompt, transparent and responsible disclosure of compromises to our customers. We must put aside the concern of temporary brand damage for the bigger picture of security and to honor that implicit trust relationship we enter into with our customers. At a time when the U.S. government is calling for greater transparency from software providers to enhance software supply chain security and integrity, it’s just the right thing to do.

 

Vice President, Threat Intelligence Engineering at ThreatQuotient