By Joe Uchill – 12/15/16 09:10 AM EST
A Department of Commerce survey shows that 60 percent of cybersecurity researchers fear legal repercussions for reporting security vulnerabilities they discover to a product’s manufacturers.
The Commerce Department’s National Telecommunication and Information Administration’s survey came through its role in a multi-stakeholder working group focused on increasing industry adoption of programs to allow researchers to report vulnerabilities — often called coordinated disclosure programs
“The more we can share information, the more prepared we can be in keeping the nation and the economy safe,” said Rep. Jim Langevin (D-R.I.). A member of Langevin’s staff sits on the working group and was involved in creating the survey.
Until this year, copyright law prevented researchers from investigating many products.
A related vendor survey showed that industry split into two tiers on the topic — one that had fully embraced disclosure and another that had not. But despite growing adoption, few vendors expected disclosure programs from their suppliers. Less than a third of vendors expect third-party suppliers to have disclosure policies, and only a quarter worked with their suppliers to remediate vulnerabilities. “It was rewarding to see indications that both sides see the value of coordinated disclosure,” said Jen Ellis, vice president of community and public affairs at the security firm Rapid 7, and the head of the working group.
Ellis highlighted that researchers are largely more interested in helping vendors fix products that are not secure than in remuneration.
Only 15 percent of researchers expected payment for notifying a company of a bug, though 70 percent expected continued communication about patches.
One of the hold-ups in the adoption of coordinated disclosure programs is distrust between vendors and researchers. Notification of a fixable product flaw often comes only during lawsuits or bad press, and firms view researchers looking to help with skepticism.
Many companies do offer rewards — called “bug bounties” — to encourage researchers to investigate their products, however. With 85 percent of survey respondents not expecting compensation, that would cast bug bounties as more of a bonus than a full-time revenue stream for most researchers.