Delays with security updates may jeopardize companies and entire industries
Positive Technologies have analyzed their experience of working with vendors on vulnerability disclosure. It turned out that, in 2022–2023, 57% of vendors promptly responded to the company's researchers' queries, but only 14% met the ideal deadlines for releasing updates.
Security flaws discovered for the first time, unknown to the software vendor and unaddressed by patches, are known as zero-day vulnerabilities. It is critical that the vendor release a timely patch as soon as they learn about the flaw, as delays increasingly give malicious actors time to exploit these vulnerabilities for their attacks.
The number of discovered vulnerabilities keeps growing: according to the U.S. National Institute of Standards and Technology, 2023's figure (28,902) exceeded the previous two years' numbers by 42% and 14%, respectively. Besides, every new breach and leak are costing businesses more and more: the average cost of a breach, according to IBM, has increased by 15% in the last three years, reaching $4.45 million. Within that context, building trusting, transparent relationships between software vendors and information security researchers takes on particular importance.
A delay in responsible disclosure of vulnerability information may lead to an increase in supply chain attacks as well1: in the first three quarters of 2023, the number of incidents caused by this type of attacks doubled compared to the figure for the entire year 2022.
Positive Technologies follows the principles of coordinated disclosure of vulnerabilities discovered in vendors' products. In addition to the researchers and the software vendor, this format of responsible disclosure involves regulators and organizations that act as intermediaries with suppliers.
"Positive Technologies researchers on the PT SWARM team detected more than 250 vulnerabilities in software and hardware by 84 vendors in 2022 and 2023. 70% of those vulnerabilities have a high or critical level of severity. We get to deal with software vendors who have vastly different levels of maturity. Only a quarter have contacts on their website for this type of communication and at least a semblance of a responsible disclosure policy. We urge vendors to build transparent and mutually beneficial working relationships with cybersecurity professionals, because it is only together that we can detect and fix software vulnerabilities in a timely manner and counter the onslaught of cybercrime in the interest of all parties. Responsible companies are the primary beneficiaries of a relationship like that: they get to improve the security of their solutions, build a favorable image, attract new customers, and strengthen their market position," says Fedor Chunizhekov, Information Security Analyst at Positive Technologies.
Insufficiently structured communications between vendors and researchers, as well as inconsistent, delayed responses to vulnerability alerts are the key challenges to implementing the principles of responsible disclosure. Positive Technologies believes that the ideal vendor response time lies within the range of one to seven days: 57% of vendors managed to respond to the company's researchers within that time. The proportion of vendors who both responded and released an update within an ideal time interval was just 14%, while almost half (49%) of the vendors released patches within three months.
Positive Technologies experts recommend that vendors adhere to a professional approach by following responsible disclosure policy, trusting security researchers, and actively maintaining communications with them. They also suggest that software vendors release security updates, announcing these as soon as possible, and adequately reward researchers for vulnerabilities they discover to encourage them to keep up the productive working relationship.
- A cyberattack in which attackers infiltrate a company by compromising software or hardware suppliers. For example, cybercriminals can inject malicious code into a product's source code or spread malicious updates to infect the target organization's infrastructure.
