Your Vulnerability Disclosure Is Important To Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue

TL;DR

This study analyzes how public and critical infrastructure organizations respond to security vulnerability disclosures, revealing challenges in communication and resolution even with existing policies, and offers recommendations for improvement.

Contribution

It provides an empirical analysis of real vulnerability disclosures and organizational responses, highlighting issues and suggesting improvements for coordinated vulnerability disclosure processes.

Findings

Many organizations are hard to reach regarding security issues.

Having a policy improves response and resolution rates.

Half of reports remain unanswered after 90 days despite policies.

Abstract

It is a public secret that doing email securely is fraught with challenges. We found a vulnerability present at many email providers, allowing us to spoof email on behalf of many organisations. As email vulnerabilities are ten a penny, instead of focusing on yet another email vulnerability we ask a different question: how do organisations react to the disclosure of such a security issue in the wild? We specifically focus on organisations from the public and critical infrastructure sector who are required to respond to such notifications by law. We find that many organisations are difficult to reach when it concerns security issues, even if they have a security contact point. Additionally, our findings show that having policy in place improves the response and resolution rate, but that even with a policy in place, half of our reports remain unanswered and unsolved after 90~days. Based on these findings we provide recommendations to organisations and bodies such as ENISA to improve future coordinated vulnerability disclosure processes.