By Michael Daniel, CTA President & CEO
Last spring, I wrote about the need for security companies to communicate responsibly about vulnerabilities in other companies’ security products. In that blog post, I identified three principles that should guide how companies should talk about these vulnerabilities, including not using disclosed vulnerabilities for commercial gain, providing notice to vendors before publishing research, and acknowledging that all security products have vulnerabilities. I concluded by calling on the industry to further develop these principles into sound policies.
I am proud to announce that the Cyber Threat Alliance has adopted a policy around vulnerability communication that adheres to these principles. It commits CTA members to operating in good faith with each other and to supporting proactive vulnerability search and remediation efforts. The policy calls on CTA members not to use disclosed vulnerabilities in a competitor’s product to commercial advantage, and to give other members at least 24 hours before publishing research on vulnerabilities. At the same time, the policy recognizes that members can and should research vulnerabilities in security products, because such research is an integral part of making the ecosystem safer. You can read the full policy here.
We want companies to proactively search for and remediate vulnerabilities in their products, and we don’t want negative publicity about such vulnerabilities to deter such efforts. Right now, that’s the only way for defenders to stay ahead of malicious cyber actors. Further, the more that companies that operate according to policies like CTA’s vulnerability communication policy, the more we will reduce the amount of “fear, uncertainty, and doubt” in the industry and enhance the professionalism of the industry. Eventually, we will live in a world where a large number of vulnerabilities in a software product might indicate something about programming quality, but until we reach that goal, these kinds of policies help make the ecosystem safer.