For the safety and security of the public, responsible disclosure best practices recommend that the vulnerability finder first notify the vendor privately. The finder must provide the vendor with adequate time not only to develop fixes and/or patches but also to push out software updates. Once fixes, patches, and updates have been proliferated throughout the software supply chain, only then should the finder publicly disclose the findings.
A coordinated disclosure process between the vendor and vulnerability finder is crucial for preventing attacks. When information on how to exploit software is available, but information on how users can protect themselves is not, there can be dire consequences that affect not only vendors but also their customers. Remember, in the Internet of Things (IoT) era we live in, attacks can be conducted remotely—meaning from anywhere in the world—and can affect millions of users at once.
The reality, though, is that pushing a software update through the supply chain takes substantial time and effort. We at Synopsys have experienced this firsthand. When the Defensics fuzz testing team ran Defensics against the Linux kernel in an internally organized hackathon, they stumbled on three critical vulnerabilities. We found the vulnerabilities in March 2017, and we publicly disclosed in May 2017. Although it may seem like it’s just a little over a month between discovery and disclosure, we had a team dedicated to this finding for roughly 6 months—from discovering the issue, to working with vendors to reproduce our finding, to working with information-sharing organizations, to public disclosure. The time gap we experienced between discovery and disclosure is fairly short compared to most.