New Research Reveals Companies and Security Researchers Are Coordinating More Closely Than Ever Before
90% of respondents believe coordinated disclosure of vulnerabilities is a public good
BURLINGTON, Mass. – September 19, 2019 – Veracode, a leading provider in application security testing (AST), today released results of a global survey on software vulnerability disclosure, “Exploring Coordinated Disclosure,” that examines the attitudes, policies and expectations associated with how organizations and external security researchers work together when vulnerabilities are identified.
The study reveals that, today, software companies and security researchers are near universal in their belief that disclosing vulnerabilities to improve software security is good for everyone. The report found 90% of respondents confirmed disclosing vulnerabilities “publicly serves a broader purpose of improving how software is developed, used and fixed.” This represents an inflection point in the software industry – recognition that unaddressed vulnerabilities create enormous risk of negative consequences to business interests, consumers, and even global economic stability.
“The alignment that the study reveals is very positive,” said Veracode Chief Technology Officer and co-founder Chris Wysopal. “The challenge, however, is that vulnerability disclosure policies are wildly inconsistent. If researchers are unsure how to proceed when they find a vulnerability it leaves organizations exposed to security threats giving criminals a chance to exploit these vulnerabilities. Today, we have both tools and processes to find and reduce bugs in software during the development process. But even with these tools, new vulnerabilities are found every day. A strong disclosure policy is a necessary part of an organization’s security strategy and allows researchers to work with an organization to reduce its exposure. A good vulnerability disclosure policy will have established procedures to work with outside security researchers, set expectations on fix timelines and outcomes, and test for defects and fix software before it is shipped.”
Key findings of the research include:
- Unsolicited vulnerability disclosures happen regularly. The report found more than one-third of companies received an unsolicited vulnerability disclosure report in the past 12 months, representing an opportunity to work together with the reporting party to fix the vulnerability and then disclose it, thus improving overall security. For those organizations that received an unsolicited vulnerability report, 90% of vulnerabilities were disclosed in a coordinated fashion between security researchers and the organization. This is evidence of a significant shift in mindset that working collaboratively is the most effective approach toward transparency and improved security.
- Security researchers are motivated by the greater good. The study shows security researchers are generally reasonable and motivated by a desire to improve security for the greater good. Fifty-seven percent of researchers expect to be told when a vulnerability is fixed, 47% expect regular updates on the correction, and 37% expect to validate the fix. Only 18% of respondents expect to be paid and just 16% expect recognition for their finding.
- Organizations will collaborate to solve issues. Promisingly, three in four companies report having an established method for receiving a report from a security researcher and 71% of developers feel that security researchers should be able to do unsolicited testing. This may seem counterintuitive since developers would be most impacted in having their workflow interrupted to make an emergency fix, yet the data show developers view coordinated disclosure as part of their secure development process, expect to have their work tested outside the organization, and are ready to respond to problems that are identified.
- Security researchers’ expectations for remediation time aren’t always realistic. After reporting a vulnerability, the data shows 65% of security researchers expect a fix in less than 60 days. That timeline might be too aggressive and even unrealistic when weighed against the most recent Veracode State of Software Security Volume 9 report, which found more than 70% of all flaws remain one month after discovery and nearly 55% remain three months after discovery. The research shows that organizations are dedicated to fixing and responsibly disclosing flaws and they must be given reasonable time to do so.
- Bug bounties aren’t a panacea. Bug bounty programs get the lion’s share of attention related to disclosure but the lure of a payday actually is not driving most disclosures, according to the research. Nearly half (47%) of organizations have implemented bug bounty programs but just 19% of vulnerability reports come via these programs. While they can be part of an overarching security strategy, bug bounties often prove inefficient and expensive. Given that the majority of security researchers are primarily motivated by seeing a vulnerability fixed rather than money, organizations should consider focusing their finite resources on secure software development that finds vulnerabilities within the software development lifecycle.
To gather relevant data for this report, 451 Research conducted survey commissioned by Veracode from December 2018 to January 2019 using a representative sample of 1,000 respondents across a range of industries and organization sizes in the US, Germany, France, Italy and the UK. Survey respondents reported enterprise roles such as application development, infrastructure and information security, as well as security consultants, third-party vulnerability assessors or penetration testers, and independent security researchers. Respondents were required to have an average to high level of familiarity with vulnerability disclosure models to participate.
Why We Commissioned This Research
Veracode envisions a world in which the software fueling economic growth and solving society’s greatest challenges is developed secure from the start. As a leading provider of application security software, clients seek our advice and leadership around how to structure their teams, AppSec technology portfolio, and business processes to deliver the most secure software they possibly can. Our intent in commissioning this research was to establish a current view of perceptions around coordinated vulnerability disclosure and to define a set of clear recommendations that help businesses progressively deliver on the objective of developing software that is secure from the start.
With its combination of automation, process, and speed, Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realize the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code.
Veracode serves more than 2,100 customers worldwide across a wide range of industries. The Veracode Platform has assessed more than 10 trillion lines of code and helped companies fix more than 36 million security flaws.