COMMENTARY: Earlier this year, MITRE, the steward of the CVE catalog since 1999, warned that U.S. government
funding would expire on April 16, 2025.
While new initiatives quickly stepped in to replace it, this shift would have added significant friction to assigning new vulnerability IDs and slowed coordination worldwide. Luckily, in
an eleventh-hour turnaround, CISA extended the contract with MITRE for another 11 months.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The uproar that came from this was a reminder that
how vulnerabilities are disclosed is just as critical as
what is exposed. But, as an industry,
how do we shape the how of disclosure?
Since
MITRE itself is a non-profit organization and there is no global law enforcing responsible vulnerability disclosure, customer safety, ethics, and reputational risk do most of that heavy lifting. There are typically three schools of thought when it comes to vulnerability disclosure, some arguably more responsible than others.
School One: Full and immediate public disclosure
In some cases, researchers that discover vulnerabilities on another company’s networks will immediately publish the technical details as soon as the bug is confirmed. This method bypasses a vendor grace period — not providing the bugged company time to notify customers or to patch the flaw. In 2021, researchers pushed a proof-of-concept exploit for
PrintNightmare (CVE-2021-34527) to GitHub before the company, Microsoft, had a working patch. This resulted in
emergency mitigations worldwide.
The argument for immediate disclosure is that it forces slow-moving vendors to act fast. Once the exploit has been published, they have to patch it as soon as possible or risk exploitation, which can lead to financial and reputational damage, erode customer trust, possible regulatory penalties, and other impacts.
The problem, however, lies in the fact that threat actors will take immediate advantage of the published information. Customers using the flawed software will therefore be impacted and this will erode trust regardless. Full disclosure should therefore be reserved as a fallback for when a vendor refuses to assume responsibility in a reasonable period of time.
School Two: Non-disclosure
Highly sensitive organizations often will keep vulnerabilities under wraps for various reasons. Usually public disclosure only occurs if and when leaks or active exploitations occur. This is especially relevant for government exploits or organizations likewise protecting critical information. If news of the vulnerabilities is made public before they are patched, threat actors may flock to exploit the flaws.
One example of this is the
EternalBlue bug in Microsoft Windows software that the NSA withheld for years. When the exploit finally leaked in 2017, it powered
WannaCry and NotPetya ransomware, causing billions of dollars in damage. Non-disclosure provides an intelligence advantage, however it also may undermine public trust.
School Three: Coordinated and nuanced disclosure
In this third school of thought, researchers who find the flaws privately collaborate with the vendors and agree on a specific window before public disclosure, in which time the vendor can fix the issue. Typically, the researchers and the vendors will agree on either 30, 60, or 90 days, depending on how long the vendor expects it will take for their customers to patch.
The coordinated disclosure method balances customer safety with researcher credit. This also allows vendors a specific timeline for which to fix the issue before it becomes live for threat actors to take advantage.
The intention of coordinated disclosure is to leverage the effect of a full disclosure as a fallback method should the vendor refuse to assume responsibility when first notified. Coordinated disclosure is not about withholding presentation of a vulnerability, it is about releasing information related to the vulnerability when a patch is available, which does not leave users without protection and open to attacks.
The path forward: Why nuanced disclosure wins
As an industry, we need to move toward a more nuanced disclosure method, ignoring the extremes of immediate and non-disclosure. If all disclosures are made completely open, cybercriminals will have the constant upper hand because no entity can keep all systems patched to the latest level at all times. Similarly, if there is no central and coordinated disclosure, each patch becomes a potentially critical unknown, and again organizations are thrust into an impossible position.
Both of these models favor the attacker and hinder the defender. Therefore, a nuanced, coordinated disclosure is the perfect middle ground. It is fast enough to keep attackers at bay and deliberate enough to defend end users. By backing this school of thought financially, operationally, and culturally, organizations stay patched, trusted, and one step ahead. Patch availability, clarity, prioritization, and structured remediation are the only reasonable ways for the security industry to improve while focusing time and effort on the most important risks.
