Operational Security
Operational security, often shortened to "opsec," is an important part of CVD operations. Opsec includes your ability to maintain security and confidentiality for information associated with vulnerability reports prior to disclosure.
Handling Sensitive Data
Some of the information that passes through a CVD process may include information on an organization's internal processes, trade secrets, or even national security interests in some scenarios. Proper precautions need to be established. It is recommended that recipients treat all received data as private unless explicitly given permission to share.
Of course, there is some ambiguity when you say private: does that mean the information is for the whole organization? Just the CVD team? Possibly even a single analyst?
Need-to-Know Principle
The "need-to-know" principle is a good starting point for determining who should have access to sensitive information. This principle states that only those who need to know the information to perform their job should have access to it. In general, vulnerability information should be shared with the fewest number of people possible to effectively coordinate and remediate or mitigate a vulnerability prior to disclosure. Clearly declaring the data's sensitivity can help to make that determination.
Traffic light Protocol
The Traffic Light Protocol is managed by the Forum of Incident Response and Security Teams (FIRST). It is a set of designations used to ensure that sensitive information is shared with the appropriate audience. By marking a document with a TLP level, a sender can easily communicate the sensitivity of information and expectations about sharing it further.
TLP 2.0 has five levels, each with a different meaning:
Label | Description |
---|---|
TLP:RED | For the eyes and ears of individual recipients only, no further disclosure. |
TLP:AMBER+STRICT | Limited disclosure, recipients can only spread this on a need-to-know basis within their organization only. |
TLP:AMBER | Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. |
TLP:GREEN | Limited disclosure, recipients can spread this within their community. |
TLP:CLEAR | Recipients can spread this to the world, there is no limit on disclosure. |
TLP Levels and CVD
We recommend using TLP:AMBER for most cases prior to public disclosure.
In the context of CVD, the following applies:
-
TLP:GREEN and TLP:AMBER are best suited for information shared between reporters, vendors, and coordinators during phases prior to public announcement of a vulnerability.
-
If pre-publication announcements are made to deployers or other stakeholders, TLP:AMBER+STRICT could be a good fit.
-
TLP:RED would usually be reserved for very sensitive information.
-
TLP:CLEAR is most useful for public disclosures.
Use caution with TLP:RED and TLP:AMBER+STRICT
We have found that TLP:RED is too restrictive for an organization to effectively respond to a vulnerability. For example, the analyst who receives a TLP:RED report might not be able to share it with their manager or their team. In a Vendor context, this might mean that the person who receives the report cannot share it with the team responsible for fixing the vulnerability.
TLP:AMBER+STRICT might be okay for a Reporter working with a single Vendor only, or when a Vendor wants retain control over the disclosure process to other Vendors or Coordinators. However, it limits the ability of the receiving party to engage others who might be able to help. A Vendor in receipt of a TLP:AMBER+STRICT report cannot share it with their upstream or downstream Vendors. Nor can they share it with Coordinators who might be able to help them reach other affected parties. Similarly, a Coordinator in receipt of a TLP:AMBER+STRICT report cannot share it with other Coordinators or Vendors, which severely limits their ability to assist with the coordination process. It is not impossible to do CVD with TLP:AMBER+STRICT, but it is more difficult and less effective.
Therefore we recommend TLP:AMBER for most cases prior to public disclosure.
TLP:GREEN can be useful for cases nearing public disclosure, for example when necessary to engage critical infrastructure through ISACs, ISAOs, or other trusted channels. In some larger multiparty cases, TLP:GREEN might be useful to reach a broader audience of potentially affected vendors, deployers and other stakeholders. However, the use of TLP:GREEN should be carefully considered, as it may be more likely to lead to unintended public disclosure.
TLP:CLEAR is more appropriate for cases where the vulnerability is already public.
Finally, we observe that CVD is usually geared towards eventually reaching TLP:CLEAR, with TLP:GREEN being sometimes a necessary stopping-off point for certain stakeholders.
Don't Automatically Trust Reports
There are two reasons that organizations receiving vulnerability reports should maintain a degree of wariness regarding the reports they receive. The first is intentional misdirection of your CVD capability, which we already discussed in Validation and Prioritization. The second is subtler, in that the technical infrastructure you deploy to manage CVD cases can potentially be affected by the vulnerabilities you are coordinating.
Vulnerability reports may contain hostile attachments—not necessarily as an attack, but simply a reporter sending a proof-of-concept for your review—so vendors and coordinators should design their report tracking systems and process accordingly.
Isolate Attachments
Be sure attachments to vulnerability reports are not opened automatically anywhere along the process. You might also institute a policy that such attachments are only to be opened within an isolated testing environment, not on production systems.
CVD participants should keep in mind that their case tracking and email systems themselves present attack surface and may be affected by the very vulnerabilities they are designed to coordinate. We have witnessed reports containing examples of image parsing vulnerabilities causing problems for both webmail and ticketing systems that automatically generate thumbnail previews of image attachments.
Consider Separate Infrastructure
Vendors and coordinators concerned about such risks should consider the degree to which their CVD support infrastructure is integrated with normal business operations systems. In some scenarios, maintaining parallel infrastructure may be preferable.
Complex Communications Reduce Trust
It's also important to be aware that not all participants along the chain of disclosure will be equally trustworthy. That's not to say they are actively malicious, just that they may have incompatible values or priorities that lead them to disclose the existence of the vulnerability to others earlier than you'd prefer.