How do you report security issues that are life threatening? This has been a question looming over the disclosures of security flaws for the talks at critical con, a conference that focuses on attacks that to some degree are life threatening. So how does one disclose that type of issue?
The answer to that question is an ever changing one based on multiple factors. Let’s discuss just a few of those possible scenarios. Let’s say a medical device company hires you to audit their products and you find a cyber security issue that is life threatening, what do you do?
Let’s take a step back. Before doing that audit you need a special legal agreement with the company, one that explicitly says you can publish a life threatening security threat, since the issue endangers peoples lives.
The company should also be given the appropriate amount of time to adhere to all regulation that may be in place, enough time to write a patch that won’t cause more issues and then send it out to everyone, before you publish.
What if this device is inside someone and doesn’t get remote updates, but gets updates in close proximity? Then, much like a non internet connected car that has to be recalled and fixed, people will have to go to their doctors office to get an update, if it’s a medical device. The fact that people may refuse to be updated falls outside the scope of this article.
So we’ve identified one way to report an issue, but what if the company won’t let you talk about the issue or you can only say a limited amount? That’s a dilemma, one that may end up in the hands of regulation, sadly. We don’t let people eat poisoned food and there are strict rules around food, so the disclosure of food that shouldn’t be digested is possible by employees who report it to the fda. That same rule would make sense to apply to devices that threaten lives, but this is ultimately up to lawmakers.
What if you don’t work for the company?
If you find a security issue in a device that is life threatening and you don’t work for the company, don’t report it via any bug bounty platform or you may end up in the above scenarios due to their legal agreements. Instead report it via email. If you can’t find an email, contact researchers who work in that area and see if they have any contacts. If you can’t contact them via email or find any researchers in that sector put up a tweet along the lines of ” hey @fictitiouscompany, you have a security flaw that endangers your users lives. Who do I contact?”
That in itself will get enough buzz, that the company will most likely respond. After you report to them then you wait and give them appropriate time to patch, which you would work out with them. If there is no way to report to the company, then you post the issue publicly, but you leave out what is vulnerable and for Pete’s sake, do not give working exploit code that if used is life threatening if the company hasn’t even had a chance to try to patch it. True, it is the companies fault, they didn’t have a way to get the information security report from you and you may want to make the company realize their mistake, so they’ll fix it, but at what cost are you willing to make them realize their mistake? If this is a life threatening exploit, which means it can, harm, kill, or assault the users then you are really hurting innocent civilians who are simply trying to survive if you go old school public disclosure without contacting the company. I am not aware of a scenario where putting up a fully functioning exploit to download that threatens someone’s life, before the company has a chance to review it serves any ethical purpose.
Issues that effect websites can be handled publicly like described above in most cases, but when we are talking about living beings, you’re in a whole new world of information security disclosure and you can’t operate as if you are just reporting another vulnerability.
As you can tell this is a lengthy topic, but for this post we believe this is enough ways to handle security disclosure of a life threatening nature to show you just how complicated this topic is.
If you are interested in the security of devices that can be life threatening if hacked, you will want to come to the critical con conference September 15th and 16th in Westlake Village, California at hub101.