When even the best-equipped firms can see established processes go awry, it means there is still a lot for everyone to learn about even the most normalized systems. So what can other enterprises learn from two large security companies, companies that both report and repair countless vulnerabilities each year, squaring off over a vulnerability disclosure gone bad?
The skirmish between Fortinet and Rapid7 stems from a report the latter put out on Tuesday, where Rapid7 announced an OS injection bug discovered by researcher William Vu. Things went a bit off the rails when Rapid7 published the report before Fortinet says it was ready. Rapid7 says it has a policy of waiting 60 days since disclosing a vulnerability to a vendor before publically disclosing it (it was published on day 68). Fortinet says that it was counting on Rapid7 to give it at least 90 days before publishing.
"Our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers," Fortinet wrote in a statement. "As such, we had expected that Rapid7 hold any findings prior to the end of our 90-day responsible disclosure window."
It is worth noting that it is unusual for the vendor to set a timetable for public disclosure. In most instances, researchers set the deadlines — the idea of adding a deadline is to encourage a prompt patching effort. It is also worth noting that the 90-day disclosure window that Fortinet refers to is the disclosure deadline its researchers set before they will announce a vulnerability, not a policy Fortinet included for submission.
The scuffle has played out publicly in articles like this one on ZDNet.
Fortinet said a patch is forthcoming, and Rapid7 offers advice in its report to mitigate the vulnerability in the meantime.
Tod Beardsley, director of research for Rapid7, said that there were lessons here for companies of all shapes and sizes looking to get a positive outcome from their disclosure programs. There is even a lesson for researchers looking to facilitate better outcomes.
"I'd much rather have headlines that say Fortinet fixed a bug Rapid7 found. That's a much better story for me," he said.
The key issue here, said Beardsley, was communication. Rapid7, he said, frequently gives extensions on its deadlines if vendors ask and appear to be working towards a patch. But he said the problem, in this case, was that Fortinet was uncommunicative through most of the 60-day process and didn't ask for an extension until it was too late.
Rapid7, like most companies, allows reporters to see upcoming research in advance after agreeing to a date that they can publish. It gives reporters a chance to get comments from researchers and vendors to have on hand when a report goes live. Fortinet didn't ask for an extension, said Beardsley, until the day before Rapid7 published their work — after Rapid7 had sent reporters their research.
"When we heard about it the day before, I said 'Sure, I'm happy [to extend the timeframe before we publish] but I can't say that journalists are going to stop writing.' We already kind of let this cat out of the bag," he said.
Katie Moussoris, an expert in disclosure policies and a driving force behind disclosure policies at the Department of Defense and Microsoft, said Rapid7 was right to publish.
“Rapid7 did the exact right thing to protect users," she said, via email. "When faced with an unresponsive vendor, which Fortinet was in this case, the researchers must go with their own disclosure policy and the best path forward to minimize user risk. Fortinet should have followed the ISO standards which require timely status communications between the vendor and the reporter of the vulnerability. Radio silence isn’t in anyone’s best interest.”
Moussoris is CEO and founder of Luta Security, which assists companies setting up vulnerability submission processes.
Beardsley says that maintaining contact with a researcher that reported a vulnerability is key for a company looking to get the best outcome. And when a deadline seems impossible, square that with a researcher as quickly as possible.
"Rapid7 is working on vulnerabilities, just like everybody has vulnerabilities. If you have a good vulnerability handling you always have a queue of them. We've gotten one recently where they said they were going to publish this in two weeks. And I said 'Oh, boy. Two weeks. How married are you to that two weeks?"
Some deadlines can be unmovable, like when a vulnerability is going to be disclosed at a major conference. But even then, vendors can work with researchers to keep key details under wraps.
Beardsley said he wished he had reached out to Fortinet more throughout the process, though he did say Rapid7 received confirmation they had received the vulnerability and Rapid7 had later followed up in August.
The point of disclosures, he said, was to work with vendors, not to catch them off guard.
"I want an environment where people feel comfortable and free and reporting vulnerabilities to multi-billion dollar companies. And those multi-billion dollar companies feel comfortable and free, like talking to these vulnerability reporters," he said.