Security is ever a game of balance. Ease of use against safety is the one I find myself thinking about most often; locks on your door inconvenience you with having to get out your keys, long and unique passwords necessitate working with a password manager, two factor requires additional equipment and steps. Most often adding security impacts ease of use in some negative way. Finding the balance here is important.
But security isn’t a single balancing act. Many of the decisions we must make require finding the right balance. Each requires thought and consideration, as well as a clear set of priorities. Especially when it comes to disclosing vulnerabilities. Every situation is going to be unique, but knowing the right questions to ask will help. The time to think through these questions is now, hopefully long before you are faced with them.
Should This Vulnerability Be Disclosed?
Disclosing the vulnerability is best for your users. It builds trust. It’s also the best thing you can do for the future of security. Hopefully other people can learn from your issue and not have to face the same one themselves.
“But, it’ll make us look bad!” You’ll look worse if someone else discloses it and you were hiding it. No security is perfect. Every company I’ve talked to that has owned up to a security issue has ultimately seen increased trust from their users.
“But it’s fixed now and no one was affected.” That’s fantastic! Well done! You should let people know how well you handled it.
“But if we make it public, people will try to exploit it!” Now we’re getting somewhere. This shouldn’t be a question of if, but of when. And deciding when to disclose can be tough.
When Should We Disclose?
Who would have thought a four-word question could be so complex and hard to answer? There is so much to consider. How do you balance what’s best for your users and your own reputation (spoiler: What’s best for your users is best for you)?
To figure this one out, you’ll need to answer a couple additional questions.
How Serious is the Vulnerability?
Objectively rating the severity of an issue can be tough, but considering these three things will help:
- Discoverability – How likely is it someone could discover this and begin to exploit it?
- Exploitability – Is this easy to exploit? Can attackers script it? Does it require authentication or social engineering?
- Reach – How many are affected by this?
How Can We Best Protect Our Users?
It might be that you can protect your users by giving them time to update to a secure version before disclosing. The worst thing about disclosing is that you can not only disclose to the “good actors”. When you put the information out there, it’s available to the well-meaning as well as those with more nefarious intentions.
While waiting can give users time to upgrade, remember that if the issue is discovered and exploited before your users know about it, you have ultimately put them at a disadvantage.
How Detailed Should the Disclosure Be?
Yet another balance to be found. This one between informing your users and giving instructions to the potential exploiters.
Make sure to include enough information for your users.
- Help them understand how severe the issue is. Hiding the severity doesn’t help them.
- Let them know what risk they face.
- Give them steps to follow to protect themselves.
This is not a how-to. Do not include enough information for people to be able to easily exploit. Make them figure that out on their own.
What Did I Do Wrong?
Ask yourself this last question after everything has settled. Maybe a week or two after the actual disclosure, sit down and assess how it went. Revel in the successes, but admit the mistakes. Use them to tweak your processes for next time.