Lifecycle of a Vulnerability Overview — Part Two

May 3 · 4 min read

By Melissa S. Vice, NSI Visiting Fellow and Chuck Yarbrough, Visiting Technologist Fellow

This piece is the second of a two-part series on the Lifecycle of a Vulnerability.

While part one, Lifecycle of a Vulnerability Overview, presented the five stages of the lifecycle from the viewpoint of a traditional Vulnerability Disclosure Program (VDP), this model can be equally useful in helping organizations determine when to implement Bug Bounty (BB) events. There are companies who specialize in operating Bug Bounties (BB). They enlist the services of researchers (aka white-hat hackers) to attack a defined target or series of targets and report their significant findings for monetary rewards. The reports are supplied to the target’s system owner to promote mitigation of the identified vulnerabilities preferably before an exploitation occurs. Unlike Bug Bounties, VDPs generally only supply reputation points as a reward, not money. These points, along with disclosure of mitigated and anonymized vulnerability reports, can help get new researchers higher ranking on a BB company’s leader board (a scoreboard of their top talent) and invited to other paid BB events. BBs are structured, focused, and short-lived events, generally 1–4 weeks in duration, while VDPs are enduring.

Vulnerability Disclosure Programs follow ISO (29147: disclosure of vulnerabilities and 30111: vulnerability handling processes) standards. Only approximately 20 percent of private sector organizations have a legal safe harbor policy established to let independent security researchers report their vulnerability findings. Until more organizations establish their own VDPs, hiring a third-party company to host a bug bounty event would be their best option. Figure 2, The Lifecycle of the Vulnerability model displays three spots within the five stages of the lifecycle that Bug Bounty events would be optimal.

The first effective use of a Bug Bounty is during the software or system development phase prior to Stage 1: Discovery (pre-deployment). Pre-deployment software or information system can be set up in a development or test environment and then a focused bounty can be directed toward that to highlight any weaknesses or vulnerabilities that may be present. This aids the development staff in that there is lower risk to the system owner or customer before the system “goes live.” Of course, implementing best practices of using dummy data on a development (non-production) system is recommended to prevent any type of unauthorized information disclosure.

The second, and most common, effective use of a Bug Bounty in Stage 2: Coordination, as shown by the second red arrow, is post-deployment for vulnerability discovery purposes. Bounties at this stage allow for software vendors or system owners to discover weaknesses in their systems, hopefully before adversaries. In any event, due diligence dictates that Bounties be used at this stage since it has been shown to reduce the embarrassment and liabilities of having an intrusion in a live system. Keep in mind that a discovered vulnerability or weakness is NOT an incident, unless subsequent investigation shows that it was an unknown intrusion. Even given that worst case scenario, discovery can at least limit the organization’s exposure by making them aware of a problem.

The final effective use of Bug Bounties is later in the lifecycle in Stage 4: Management. Once the vulnerability has been mitigated (patched, reduced exposure to the vulnerability, etc.) the use of Bounties can test the fix action’s effectiveness. In vulnerability disclosure programs there is a 30 percent failure rate of reported mitigations on the first attempt. This is not atypical and bounty testing at this point can provide additional confidence that the vulnerability has been successfully mitigated.

Conclusion

In September 2020, the Executive Office of the President, Office of Management and Budget (OMB) Memorandum– 20–32 “provided Federal agencies with guidance for obtaining and managing their vulnerability research programs” by encouraging the use of vulnerability disclosure programs and bug bounties. M–20–32 refers to this combination as the “coordinated vulnerability disclosure (CVD) methodologies” in association with the previously indicated ISO standards can enhance cybersecurity hygiene and protections for information systems. Using the Vulnerability Lifecycle Model can assist both governmental agencies as well as private companies in more effectively determining how to employ these best practices.

Melissa S. Vice is the current Chief Operations Officer (COO) for the Vulnerability Disclosure Program (VDP) at the DoD Cyber Crime Center (DC3) and Chuck Yarbrough is a Senior Engineer Software at the Engineering Institute Carnegie Mellon University.