Responsible Vulnerability Disclosure: Fostering communication in the cybersecurity community
A vulnerability that is present in any organisation is never a good thing. Without noticing and informing those concerned, this could lead to unimaginable damages from the financial penalty imposed by PDPC ranging up to S$1,000,000, and the besmirched reputation ending up losing the trust of loyal customers and potential future clients.
With this, the CSA has come up with Responsible Vulnerability Disclosure (RVD) to foster communication and cooperation in the cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace.
Responsible Vulnerability Disclosure, defined.
Responsible Vulnerability Disclosure (RVD) is the process in which the person or organisation responsible for a product or service (the “System Owner”) is informed of a cybersecurity vulnerability in the product or system in order to mitigate or eliminate the risk that the vulnerability will be exploited and minimise or prevent potential harms.
SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the broader cybersecurity community, and encourages anyone who has identified or suspects a vulnerability in a product or service (the “Informer”) to report directly to the System Owner (s).
System Owners are encouraged to develop their own vulnerability disclosure policies outlining how vulnerability reports will be received and processed, what the reports should contain, approaches to disclosure to affected users and the public, and any rewards policies.
In situations where the Informer was unable to report a vulnerability directly to the System Owner(s), SingCERT may act as a coordinator by contacting and forwarding the report to the System Owner (s). To improve communication and coordination, SingCert may put the Informer and System Owner(s) in direct contact when necessary and appropriate.
What Informers should do under the RVD
1. Always act responsibly, in good faith, and with reasonable care, for the sole purpose of reporting suspected vulnerabilities to System Owner(s) in order to help make cyberspace safer. Before taking any action, whenever possible, the System Owner(s)’ permission must be obtained, especially for actions that may negatively impact the System Owner(s) and users.
2. SingCERT recommends that Informers collaborate with System Owner(s) to resolve any validated vulnerability within generally 90 days, subject to their agreement or arrangement. They should refrain from disclosing vulnerability information to third parties or the general public until the System Owner(s) have had adequate time to develop and implement solutions to mitigate or eliminate the vulnerability.
Informants may encounter personal, sensitive, or confidential information during the RVD procedure. Informants should ensure that their actions do not compromise the confidentiality of such information, such as by creating unauthorised copies or disclosing it to unauthorised parties.
3. When performing actions related to assessing a vulnerability, do so deliberately and with due care. This includes ensuring that the actions do not compromise the availability of systems and services and avoiding actions that are not strictly required for assessing, testing, or evaluating the security of the systems and services in order to ensure or protect their security.
Informers should not use disruptive or destructive methods to identify vulnerabilities, such as attacks on physical security, social engineering, denial of service, spam, brute force, or third-party hacking/scanning applications to target websites.
4. Comply with all Singaporean and international laws. This includes adhering to the Singapore Computer Misuse Act (“CMA”) and avoiding conduct that could constitute a violation of the CMA. If you are uncertain about the scope and application of a particular law, you should seek and obtain professional legal counsel. Some illustrative, non-exhaustive examples of actions Informers should not do include:
- a. Acquiring unauthorised access to computer system(s) and establishing persistent access, or interfering with any computer process or service. Examples include deploying Trojan downloaders to install backdoors or installing viruses or malicious software.
- b. Altering the contents or configuration of one or more computer systems in a way that disrupts or degrades the system. Examples include modifying IT configurations/parameters to disrupt the system or installing malicious software within the system
- c. Accessing or modifying the memory or data of any computer system when it is not strictly required for assessing, testing, or evaluating the system’s or service’s security. Examples include modifying website portions or removing database entries
- d. Intercepting a computer service for purposes other than assessing, testing, or evaluating the service’s security. Examples: Using network interception or browser proxy tools to intercept network traffic, to steal session cookies, or modify another user’s session cookie, thereby impeding the service’s availability for other users.
- e. Obstructing the use of computer systems or preventing others from accessing any stored program or data. Examples: Causing a denial-of-service on the computer systems or preventing other users from gaining access to them.
- f. Unauthorized access to and disclosure of a computer system’s passwords, access codes, or other means of gaining entry. Publication of credentials on the Dark Web or in other forums
- g. Obtaining personal or corporate information and using it for illegal purposes. Examples: gathering and leaking business information for financial gain, fraud, or blackmail
- h. Utilizing disruptive or illegal methods to identify vulnerabilities. Attacks on physical security, social engineering, denial of service, and brute force attacks are examples.
- i. Attempting or preparing to commit any of the offenses listed in 3(a) to (h) above
5. Provide sufficient information on the reported vulnerability and collaborate with the System Owner(s) to validate the suspected vulnerability, including (when available) the following details:
- Description of the potential weakness
- Product(s)/service(s) impacted, as well as the model or software version, IP address, and/or URL of the affected service (if applicable)
- Specify the methods and conditions, including date(s) and time(s), that led to the discovery of the suspected vulnerability.
- Describe the reason(s) you believe the suspected vulnerability may have an impact on the subject product or service, as well as the potential impact (e.g., describe how you believe the suspected vulnerability might potentially be exploited). You may also include CVSS (Common Vulnerability Scoring System) calculations, potential attack scenarios, and exploitation prerequisites.
- Any additional pertinent information, such as network packet captures, crash reports, video recordings, or screenshots containing evidence of codes or commands used to discover the suspected vulnerability. Provide your name, email, and contact number in the vulnerability report. System Owner(s), SingCERT, or law enforcement agencies (e.g., the Singapore Police) may contact you for further clarifications or to seek your assistance in investigations relating to the vulnerability and any actions you may have taken in the course of the RVD.
What System Owner(s) should do under the RVD
1. Conduct its own verifications and evaluations of any information pertaining to a suspected vulnerability. This includes the possible consequences of exploitation.
2. Contact the Informer if additional information on the suspected vulnerability is required and, if appropriate, work with the Informer to provide simultaneous public disclosure.
If the vulnerability is confirmed, the Systems Owner(s) should:
- Strive to develop a fix, workaround, or mitigation measures
- Ensure that product/service users are aware of the vulnerability and the necessary countermeasures. This may be accomplished by notifying the affected users or by publishing an advisory. Where applicable, System Owner(s) should notify product/service users of interim mitigations (if any) while the patch is being developed in order to minimise damage or harm to individuals and organisations as malicious actors may also discover and exploit the vulnerability.
- Provide SingCERT and the Informer with an update on its vulnerability assessments, findings, and response status
Communicating a vulnerability at its discovery is a great advantage for organisations, big or small. Not all vulnerabilities can be found readily, especially if the organisation does not subscribe to a penetration testing service. With RVD, this could mean a set of extra eyes to ensure that any vulnerabilities that the organisation may have, out in the open, will properly communicated for the organisation to patch before any bad actor can get a hold of them.