Claudius LinkNov 12, 2024

#Fedipower #Cybersecurity

Does anyone know a regulation which requires specific time periods from "vendors" to fix security vulnerabilities?

There is the (unofficial) 90 days which are often used in Coordinated Vulnerability Disclosure. But I couldn't find anything specific in common standards or regulation :-(

I really would love to have something to shorten the recurring discussion on how quickly a vulnerability should get fixed 🤬

Clarification: I'm not talking about time-frames for operators to apply security patches from the vendors.
And I'm aware that the analysis of a (potential) vulnerability, the fix, the testing, certification, release of the system by the vendor is far more complex and time consuming than "simply" applying patches

#WisdomOfTheCrowd

Show threadClaudius LinkNov 12, 2024

For Cloud Service Providers t(CSP) the US Federal Risk and Authorization Management Program (FedRAMP) mandates high vulnerabilities to be remediated within 30 days.

But this probably concerns mostly the application of patches to 3rd party components (as the vulnerabilities are found in scans).

See
CSP Timeliness and Accuracy of Testing Requirements
https://www.fedramp.gov/assets/resources/documents/CSP_Timeliness_and_Accuracy_of_Testing_Requirements.pdf

Show threadClaudius LinkNov 12, 2024

In their Coordinated Vulnerability Disclosure Process document the CISA speaks of a possible 45 days disclosure time-frame, but only if the vendor is not responsive.

If the vendor is responding and working on a fix, there is no guideline given.
https://www.cisa.gov/coordinated-vulnerability-disclosure-process

Show threadClaudius Link

Googles #ProjectZero follows a 90 days disclosure deadline policy. Meaning they will publish a vulnerability 90 days after informing the vendor (or 30 days after the patch is published)

Sometimes they grant an additional 14 days grace period. Leading to a 104 days fix period.

https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html

Vulnerability Disclosure FAQ

Published: 2019-07-31 Last updated: 2021-11-29 Project Zero follows Google’s vulnerability disclosure policy  on all of our vulnerab...

Nov 12, 2024 at 10:09pmWeb
Show threadClaudius LinkNov 12, 2024

ISO/IEC 29147 - Vulnerability disclosure contains an unspecified embargo period. Vendors have to acknowledge vulnerability reports within 7 calender days.

#ISO29147

Show threadClaudius LinkNov 12, 2024

I should check what disclosure periods #BugBounty organisations use.

Maybe @k8em0 would have some input 🙂

https://infosec.exchange/@k8em0/110186072873805241 contains some.
As well as her paper Vulnerability Disclosure Programs:
Available Standards & Best Practices
https://www.nist.gov/system/files/documents/2021/11/19/09-Final%20-%20Moussouris-%20EO%2014028%20VDP%20Best%20Practices.pdf

Katie Moussouris (she/her)🥜👋🏼 (@[email protected])

Ah yes, another high profile bug bounty forcing non-disclosure — even for fixed bugs. 🤦🏻‍♀️ It’s the bugs they won’t fix that will put users at risk. All orgs need a vulnerability disclosure program that doesn’t ban Disclosure. But what do I know. I just coauthored the standard #GPT “But it’s a bug bounty & they are paying so it’s fair to ask for non disclosure” That’s fine if everything submitted is paid work, like a penetration test. Oh, only paying selectively & only the first of any duplicates? That’s labor abuse & the worst gig economy deal out there. “But pen tests don’t get you all the eyeballs” Neither do bug bounties - you get a random number of eyeballs willing to sign NDAs. If orgs actually care about security, they cast as wide a net s as possible to get the best researchers - especially those who won’t sign NDAs. “This is better than no bug bounty” No, it isn’t. It breeds a false sense of security for users & the org itself, while actively excluding the highest skilled researchers who will never sign an NDA for speculative pay or who want to see the bugs FIXED as their motivation.

Infosec Exchange