Between threats and legal uncertainty, vulnerability researchers are flying blind

The figures speak for themselves. In mid-December 2023, MITRE’s CVE system identified 37,272 vulnerabilities for 218,983 total records. At the same time, the Zero Day Initiative (ZDI) bug bounty program identified 1,763 vulnerabilities compared to 1,706 at the same time the year before.

« Of the 1,763 vulnerabilities identified by the ZDI program, not all are ‘zero day’, i.e. not all have been exploited by hackers or publicly disclosed, » says Nicolas Villetelle, senior sales engineer at Trend Micro, a company involved in the ZDI program since 2005.

Most of the time, software publishers welcome vulnerabilities identified as part of a « bug bounty » program, and some have even created compensation programs to reward vulnerability researchers. One such company is Google, whose bug bounty program, known as the Vulnerability Reward Program (VRP), helped identify no fewer than 2,900 vulnerabilities in 2022, with a record $12 million (around €11 million) in bounties paid out to researchers.

« Silent patches » water down public disclosure of vulnerabilities

Not all companies react so positively, however. In particular, Trend Micro points out the rise in « silent patching », a practice that delays or waters down the public disclosure and documentation of vulnerabilities and patches.

At a session at Black Hat USA 2023, Trend Micro Research representatives explained that silent patching has become especially widespread among cloud providers. « Increasingly, companies are no longer assigning a CVE (Common Vulnerabilities and Exposures) identifier for public documentation, instead issuing patches privately…the lack of transparency or version numbers for cloud services obstructs risk assessment and deprives market players of valuable information to improve the overall security of the ecosystem, » the cybersecurity specialist said in a statement in August 2023.

Frequent threats rarely followed by legal action

Vulnerability researchers are also facing threats and even lawsuits from companies to whom they make their reports. « This sometimes-hostile environment creates an incentive to discontinue work that is beneficial to everyone. It also drives certain researchers away from the official market, known as the white market, and towards the gray market (where brokers intervene) or even the black market. These two markets, the gray and the black, are also often much more lucrative than the white market, » says Laurent Bernard, public policy analyst at the OECD (Organisation for Economic Co-operation and Development).

« There is a consensus in all communities, whether OECD member states who speak out on the issue, the private sector, publishers, or the hackers themselves, that researchers are under threat. What’s very difficult is that this threat rarely leads to legal action, which would create a precedent. It’s all happening under the radar, » says Laurent Bernard.

Policies must therefore be adopted to ensure that researchers are neither threatened nor prosecuted when they follow best practices. « The problem is defining what best practice is. There currently is no consensus among researchers, companies, or even judges, which we could refer to in a lawsuit or trial. This is a very new, very recent field, in which we nevertheless need to keep moving forward, » says Laurent Bernard.

Moving forward also means working on market dysfunctions. « It may seem obvious that more money can be made when you sell something on the black market, but the question is how we can ensure that this is not the case on the gray market, which is a very complex market that can involve state actors, sometimes for the right reasons and sometimes for the wrong ones, » says Laurent Bernard.

A solution from European institutions?

Can European institutions offer a solution to this complex situation? « I am convinced that European institutions are the key to this equation. We could imagine a European body that would collect vulnerability reports and manage them as ethically as possible. In my view, the solution lies in approaching the problem from the angle of the rule of law. I hope that the European Commission will tackle this issue because governments have their flaws. When it comes to vulnerabilities, they always hide behind national security, » says Guilhem Giraud, an expert in homeland security technologies.

Jérôme Barbier, who is responsible for space, digital and economic issues at the Paris Peace Forum, does not share this view, however. « In early December, the Cyber Resilience Act was agreed in principle by the European Parliament and the Council. The idea of a platform that could list all vulnerabilities and be accessible to all national agencies has been the subject of much debate and has been opposed unanimously by the private sector and Member States, including France, on security grounds. »

A legal gray area that depends on who you deal with

Despite this, things are changing at the European level, according to Noémie Véron, lecturer in public law at the University of Lille. « Since 2019, the Regulation on ENISA (European Union Agency for Cybersecurity) and cybersecurity certification of information and communications technologies requires certain large companies, such as so-called operators of vital importance, to list certain flaws and vulnerabilities, » she says.

Vulnerability researchers are still left in legal limbo, however. « Your protection differs depending on the organization to which you report the vulnerability. If you report it to Anssi, they cannot refer it to the prosecutor’s office. But if the vulnerability researcher reports the vulnerability to the software operator, they could potentially decide to file criminal charges, » says Noémie Véron.

Given the rise of vulnerabilities in IT systems, European coordination is required to impose consistent ethical practices and protect cybersecurity researchers. Only a unified approach can improve global security and offer fair compensation for contributions to cybersecurity.