When a software vulnerability is detected, it can be a stressful event for the software maintainer who oversees the originating code. The developer and security research communities are expected to work together to address potential threats, yet there’s limited understanding about the dynamics between them. On top of this, the security research community lacks standardized vulnerability disclosure processes. Various organizations have developed their own unique processes and methods of communicating vulnerabilities, whether direct through email, triaging reports or ticketed systems.
So what’s top of mind for cybersecurity professionals during a vulnerability management process? And, how can the research community build ongoing partnerships with them?
To bring awareness to these interactions and relationships, the GitHub Security Lab conducted interviews with open source maintainers between November 2020 and March 2021. Here are the top findings from the maintainer’s perspective and three ways to initiate better communication and collaboration between researchers and software developers.
Recent research on software developer and security researcher interactions
At the height of a vulnerability disclosure, developers and security researchers must navigate sharing sensitive information and facilitating critical collaboration to address the security issue. It is understandable that, at times, there has been friction and tension in these relationships.
The research identified three categories of findings: maintainers’ engagement with security researchers, their communication preferences in receiving notice of vulnerabilities and their perception of the disclosure process. Notable insights from maintainer interviews showed that:
- Maintainers have minimal ongoing engagement with the security research community. Although a majority of maintainers have little to no engagement with researchers, they are open to learning and receiving foundational information about security research. Beyond vulnerability reports, some maintainers mentioned they engage with security researchers through channels like Twitter, Slack, Discord or conversations with friends in the security industry.
- Maintainers recognize their interactions with security researchers as generally positive, however, this is not universally true and largely dependent on the researcher.
- Maintainers welcome constructive criticism that is actionable and widely applicable. After receiving a vulnerability report, maintainers experience a range of emotions, including anxiety and stress that can be mitigated by straightforward communication. Additionally, when feedback is shared in a negative way, maintainers may ignore or set boundaries with what type of discussions they will or will not engage in.
- Maintainers prefer that reports be submitted to them privately.
- Some maintainers prefer to receive a security notification through a report that has a summary of the problem, an explanation of the specific issue, the vulnerability’s potential impact and advice on remediation. When making suggestions for remediation, maintainers do not see this as a requirement for security researchers to provide but find it helpful when they do, given open source maintainers volunteer their time.
- A majority of maintainers highlighted a designated security contact, however, most do not yet have a formal security policy and either want to implement one or are actively working on creating one.
- While most agree on the 90-day disclosure deadline as an industry standard, maintainers also want flexibility and more collaboration in determining the timeline.
How to strengthen developer-security researcher ties
Strong relationships between developers and security researchers are essential to securing open source software. Bringing awareness to their current work environment is the first step in creating effective partnerships. Here are a few recommendations on ways to improve communication and collaboration.
- Engage and initiate communication outside of the vulnerability process. To smooth interactions during a sensitive time like a vulnerability disclosure, communication between security researchers and developers should happen consistently outside of these processes. Encouraging open lines of communication and sharing best practices is one way to start. For example, in this latest study, maintainers expressed interest in seeing resources provided by security teams that share foundational information such as background on common classes of vulnerabilities, vulnerability patterns, how bugs are found, and the security community’s expectations of software developers. Fostering ongoing communication outside of critical vulnerability fixes boosts trust and collaboration before having to work through a disclosure.
- Respect developer communication preferences and approach outreach in a constructive manner. Knowing developers want to receive straightforward notifications of a vulnerability, security researchers should ensure their outreach is clear, upfront and actionable. All communication should reflect mutual respect and encourage cooperation. As the industry continues to tackle security fixes, there is an opportunity for the research community to share best practices around recent disclosures and communication methods that help developers know what to expect.
- Explore and trial new methods that involve maintainers in the process of a disclosure and vulnerability fix. Developers and security researchers will always be linked through their work — building and maintaining software and protecting it from potential threats. While security teams create their unique processes for handling vulnerability disclosures, finding new ways to involve developers earlier on in the development of those methods promotes collaboration. Although not always possible at the moment of a disclosure, finding opportunities to explore through post mortems or debriefs with developers can help inform new approaches and ways to engage.
As cybersecurity threats and software supply chain vulnerabilities continue to emerge, the partnership between researchers and developers is vital to protect software development. By understanding the relationship between these stakeholders in a community that lacks standardization, we can work towards more effective methods to address vulnerabilities and build a safer, secure and more collaborative ecosystem.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.