Your Disclosure Is Important to Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue

Cybersecurity is increasingly in the crosshairs of policymakers, as evidenced by the introduction of far-reaching legal frameworks around the globe. One concrete example of cybersecurity policy is how to deal with vulnerability disclosures. Organisations increasingly introduce vulnerability disclosure policies, and in some cases, public sector bodies are even required by law to have such policies. In this work, we study the effects of these policies in practice. Using the process specified on an organisation’s web site, or absent such a process following community best practices, we disclose an e-mail vulnerability affecting a large number of organisations. This vulnerability allows arbitrary actors to send mail on behalf of affected organisations by abusing shared infrastructure. Our disclosure campaign focuses specifically on public and critical infrastructure organisations that are required by law to handle such disclosures. We find that having a policy makes it easier to contact organisations regarding security vulnerabilities. Nevertheless, even with a policy in place, over half of our reports remain unanswered and unresolved after 90 days. Based on our findings, we provide recommendations to policymakers and organisations how to better shape their vulnerability disclosure processes.