Cisco’s Talos security research group is changing its policies for responsible disclosure of security vulnerabilities, providing impacted vendors with more time to fix issues. Cisco had been working with a responsible disclosure timeline of 60 days before publicly announcing a vulnerability and it is now extending the public disclosure timeline out to 90 days.
“Basically at the end of the day, our goal is to protect our customers and the vulnerability research we do is one of the ways we accomplish that objective,” Earl Carter, threat researcher at Cisco, told eWEEK.
As to why Cisco is extending its responsible disclosure timeline now, Carter explained that over the past year, Cisco Talos’ own research has revealed that the overall average time to patch for vulnerabilities is 78 days. That is, it takes on average software vendors 78 days to fix an issue that Cisco Talos privately reported. It became clear to Cisco Talos that its 60 day public disclosure policy didn’t align with the reality of software developer patching. As such, in order to better align the patching of vulnerabilities with the disclosure of vulnerabilities, Cisco decided to extend public disclosure out to 90 days.
Not all classes of software are patched by developers and vendors at the same rate. While the industry average for patching as measured by Cisco Talos was 78 days, open-source software vendors on average patched within 42 days. Carter noted that there are a number of reasons why open-source software projects were found to patch vulnerabilities faster. Among them is the fact that some open-source projects have large communities that can mobilize rapidly to develop patches for flaws,
“Often these technologies are not as complex as commercial solutions, and as a result can be patched quicker,” Carter said. “Also, since these patches are developed through a community-approach, the patches don’t go through the in-depth testing that commercial solutions often go through to ensure the integrity of the patch.”
A key challenge for any form of responsible disclosure is when a threat is being actively exploited. While some vendors will choose to disclose issues after they are already being exploited in order to help expedite a fix, Cisco Talos is taking a somewhat measured approach. Carter explained that it’s a tricky situation when a threat is being actively exploited and there is a need to get a fix out as quickly as possible.
“It doesn’t help anyone just to dump something out into the wild to let everybody know about a vulnerability, you have to work with the vendors to try and resolve the problems,” Carter said. “Just putting the issue out that doesn’t resolve the issue.”
Responsible disclosure has long been a topic of much debate in the security community with some experts advocating for shorter timelines to help improve security. Security experts contacted by eWEEK had mixed reactions to the idea of extending a public disclosure timeline.
“A timeline for releasing a patch is not a simple decision,” Cesar Cerrudo, CTO of IOActive Labs told eWEEK. “Depending on the vulnerability, more days means more possibilities for the vulnerability being exploited.”
Cerrudo added that typically companies patch systems some time after the patches are released by software vendors since they need to do some testing before deploying a patch. He noted that if a public disclosure timeline is extended this means that companies will potentially have even more time unprotected.
When it comes to vulnerabilities that are already being exploited, Cerrudo’s view is that responsible disclosure timelines should be ignored and a patch should be released as soon as possible.
Kevin Bocek, Vice-President of Security Strategy and Threat Intelligence at Venafi, emphasized that when it comes to security vulnerabilities, speed matters. He commented that attackers don’t wait and longer disclosure times mean businesses, governments, and consumers remain vulnerable.
“Increasing disclosure times just doesn’t make sense,” Bocek told eWEEK. “It’s only certain that vulnerabilities will become more serious in the age of IoT, cloud, and DevOps.”
John Bambenek, manager of Threat Systems at Fidelis Cybersecurity, also commented that in general the shorter the timelines for public disclosure of a vulnerability, the better. “It is naïve to think a security researcher is the first and only person to discover a vulnerability,” Bambenek said.
For its part, Cisco plans on constantly measuring and analyzing how vendors respond to its disclosures to see if any changes are needed to its new 90 day responsible disclosure policy.
“Just because you give them (vendors) a a shorter period of time, you can’t can’t expect things to happen,” Carter said. “We’ll measure as we go forward and see what results we see.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist