Responsible Disclosure and the Ethics of APT Research

The Internet of Things (IoT) is projecting incredible growth in the near future—with an estimated 20+ billion devices expected to be connected in the next four years alone. This rapid expansion will afford opportunities to all sorts of businesses and organizations—including those with nefarious intents.

Each year, researchers discover somewhere between five and seven thousand network vulnerabilities—and that range has held steady over the last few years. But with this explosion of IoT devices and vendors under way, we’re expecting the number of problems to increase exponentially. Many of these IP-enabled devices were never created with security in mind. Communications software is often cut and paste, meaning that errors and vulnerabilities get replicated across a spectrum of devices. And there is simply no way to install a security client, patch a vulnerability, or upgrade flawed code to protect consumers or vendors. There’s going to be a lot of pressure on vendors without sufficient in-house resources to quickly identify and address these sorts of often intractable problems. And in the meantime, an exponentially expanded attack surface and a lot of paths will remain open for attackers to target, which can have a devastating impact on overall network security.

With this pending maelstrom of vulnerability approaching fast, communication becomes an important variable in the process of discovering weaknesses and, when possible, implementing patches in a timely manner. There are gray areas to navigate, misconceptions to overcome, and business practices to avoid. Fostering a greater understanding of the ethics and perils behind advanced persistent threat research—from both the researcher’s and the vendor’s perspectives—is a topic that needs more open discussion within our industry. And it’s a conversation that starts with the concept of responsible disclosure.

In essence, responsible disclosure refers to the ethics of how and when a vulnerability is publicly communicated. After a problem is discovered, a hardware or software vendor needs a reasonable amount of time to develop a fix. Publicizing an unpatched security hole would not only potentially damage that vendor’s reputation, but (more importantly) it would shine a spotlight on that vulnerability for cybercriminals to then exploit.  On the other hand, if a vendor isn’t willing or able to take swift action to fix the issue, then saying nothing perpetuates a false sense of security—which will most likely be discovered and exploited.

On the research and discovery side, there are those who believe it’s their social duty to immediately report any significant vulnerability. While there are responsibly accepted financial models such as bug bounty programs that reward researchers, there are also those out there who might try to sell information about a flaw or weakness on the black market to the highest bidder. If you’re a smaller company with limited staff and resources, then you might understandably feel a bit wary about outsiders coming to you with claims of having discovered a flaw in one of your products.

On the flipside, there’s the unfortunate circumstance where a vendor is completely unprepared and unreceptive when a legitimate researcher gets a bite on a potential flaw and tries to approach them in earnest. In fact, few organizations understand this process properly. At Fortinet, when we work with bigger companies like Microsoft or Adobe, we have a healthy collaborative relationship because they have developed and maintain appropriate in-house security expertise. Proactive organizations like these, including Fortinet, have dedicated product security incident response teams (PSIRTs) which enable an active and appropriate channel for communication between the researcher and the vendor.

Unfortunately, this sort of dedicated, permanent staff is difficult for many smaller companies to develop and maintain, so problems go unrecognized, undisclosed, and unrepaired. Which means that IoT’s groundswell of new and often smaller vendors hitting the market there’s going to be a lot of vulnerable products joining networks very soon. While FortiGuard Labs threat research extends to these kinds of new devices, we’ve had problems connecting with some small vendors to report vulnerabilities in their products. Even though what we’re communicating is done with good intent and follows industry best practices, their response is often unreceptive because of their gap in skillset, resources, and understanding.

We support and promote the concept of responsible disclosure that allows for vendors to work in collaboration with outside entities to quickly identify and fix an issue before it’s made public. At Fortinet, this approach is based on the same sort of best practices approach we use when working with law enforcement. If we’re following a cybercrime case, we work with authorities (such as Interpol or the FBI) to provide them with the information they need to protect the public and do their jobs more effectively.

Another approach we use in support of our ethical stance for responsible disclosure is our Zero Day research white-hat hacking team. It’s their job to think like a black-hat hacker, but in an ethical hacking sort of way—finding and fixing or reporting on vulnerabilities before the bad guys discover them. This sort of responsible approach provides a mutually beneficial outcome. It’s to our advantage because when we research these sorts of things we can discover a flaw in advance and come up with a solution before a patch becomes available. And it benefits other organizations because they can rest assured that the gap between a vulnerability discovery and a permanent fix has been closed. But we never sell information about that flaw. Ultimately the industry as a whole benefits from this research as eventually concepts are discussed at security conferences such as VB100, Blackhat and so forth as we have done in the past.

At Fortinet, we own all of our research. First and foremost, we apply what we learn to our own original line of solutions because that’s our core business. And we share this information in a responsible way with other vendors so they can take appropriate measures. We believe that sharing information with hardware and software vendors shouldn’t be driven by direct financial gain or by taking credit for discovering something. It’s about building trust with partners (and potential partners), doing what’s best for our industry at large—and more than anything, ensuring customer protection and privacy. Fortinet is committed to continuing to work with both new and established vendors to solve the PSIRT challenge, and to help harden IoT as it continues to grow.