Vulnerability Disclosure: Guiding Governments from Norm to Action

Executive Summary

As society’s expectations of IT systems have increased, the underlying IT infrastructures have grown increasingly complex. ¹ That complexity is inevitably accompanied by errors, which can be exploited. The persistent challenge of those errors, or vulnerabilities, in IT infrastructure, which span medical implants to vehicles, poses significant risks due to potential exploitation by criminals, adversarial intelligence agencies, and militaries.

Vulnerability disclosure, “a process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability,” ² has emerged as a key process to fix these errors – ideally before they can be exploited. This process may involve multiple parties, including security researchers, coordinators, code owners, and system owners working together. Instances where all relevant stakeholders work together to reduce the risks associated with a vulnerability through disclosure are referred to as Coordinated Vulnerability Disclosure (CVD). The theoretical and practical aspects of Coordinated Vulnerability Disclosure are well established, offering a robust framework for mitigating risks associated with vulnerabilities.

Governments have acknowledged that they themselves play a crucial role in fostering a policy ecosystem conducive to Coordinated Vulnerability Disclosure. In 2015, the United Nations (UN) Group of Governmental Experts on developments in the field of information and telecommunications in the context of international security agreed upon a norm to, inter alia, “encourage responsible reporting of ICT vulnerabilities” as part of their final report. The consensus report was subsequently endorsed by all member states of the United Nations General Assembly. ³

While this norm, among others, has been agreed on, its implementation needs to be advanced through concrete guidance. Implementation refers to “adjusting or establishing policies, procedures, regulations or capabilities or adopting other measures which support state and national adherence to the projected conditions of the recommendations for norms.” ⁴ This has recently been emphasized again by several governments calling for an improved exchange, in-depth discussions and collaborative initiatives on vulnerability disclosure, and the vulnerability disclosure norm more specifically. ⁵ This policy paper therefore seeks to bridge the gap between the abstract formulation of the United Nations norm on vulnerability disclosure and its implementation in practice. It offers concrete, actionable guidance on how states – key stakeholders and enablers of vulnerability disclosure – can achieve compliance.

As a baseline, governments should
            I. Designate a Point of Contact and Coordinator; 
            II. Implement a Government Vulnerability Disclosure Policy;
            III. Create Legal Protection and Certainty;
            IV. Drive Security Contact and Disclosure Practice Implementation;
            V. Offer Guidance and Services.

As enhanced implementation, governments could
            VI. Implement a Government Disclosure Decision Process;
            VII. Foster Government Vulnerability Reward Programs;
            VIII. Drive Mitigation Sharing;
            IX. Improve Vulnerability Information Sharing;
            X. Socialize the Norm Internally;
            XI.  Not Introduce Vulnerabilities or Prohibit Their Reporting.

As advanced measures, governments could
            XII. Support Unmaintained Code;
            XIII. Internationalize and Specialize Government Coordinators;
            XIV. Cooperate and Build Capabilities;
            XV. Name and Shame Non-Compliance;
            XVI. Curb Vulnerability Trading.

By implementing and refining the relevant national capabilities, and subsequently engaging in respective international cooperation, governments can significantly bolster national cybersecurity. This proactive approach not only mitigates risks but also fosters trust and cooperation among nations in handling cybersecurity threats.