Rapid7's 2021 ICER Takeaways: Vulnerability Disclosure Programs Among the Fortune 500

Last updated at Tue, 25 Apr 2023 20:09:06 GMT

This blog post covers key takeaways from our 2021 Industry Cyber-Exposure Report (ICER): Fortune 500.

Every major corporation on Earth is a technology company. It is unthinkable that a business that generates billions of dollars in revenue and employs thousands of workers would not have a significant technological investment in their products, processes, and logistics. We rely on fantastically advanced technologies in every aspect of our modern lives. Of course, anyone who has spent any time analyzing these technologies will notice that we are routinely bedeviled with vulnerabilities, especially when it comes to internet-based systems.

As it happens, we have a powerful and proven method to stem the tide of vulnerabilities in major technologies: coordinated vulnerability disclosure (CVD), and a now-standard mechanism to participate in CVD, vulnerability disclosure programs (VDPs).

The presence of a publicly accessible VDP is conspicuously lacking across most of the companies in the Fortune 500, which, in turn, makes it difficult for those companies to ever learn about vulnerabilities in their products and technical infrastructure in a constructive way.

While VDPs are more common today among the highest-revenue companies, the drop-off is rather steep after the top 100 companies, and few of the 21 industries represented in the Fortune 500 have normalized VDPs as a business practice. Without vulnerability disclosure programs, these industries are telegraphing that they do not want to know about their own vulnerabilities, intentionally or not, to their shareholders' and customers' peril.

For this study, we searched for VDPs associated with Fortune 500 companies and flagship brands of those companies, much in the same way we would if we were about to disclose a vulnerability about those companies' products or services. Specifically, we looked for the following, in this order:

• The presence of a VDP associated with all Fortune 500 companies (or flagship brands of those companies) listed on either Bugcrowd’s or HackerOne’s crowdsourced bug bounty lists, or in the Disclose.io program database.
• The presence of a standardized security.txt file on each company or flagship brand website to facilitate the sharing of discovered vulnerabilities with website maintainers.
• An obvious pointer to, or indication of, a VDP offered by the candidate companies by Googling the terms "vulnerability," "disclosure," and "security," along with the company name and flagship brand.

The initial survey was conducted in December 2020 and reviewed again in January 2021.

It is possible some of the surveyed companies that appear to not offer a VDP do, in fact, have a process for receiving vulnerability intelligence, but the lack of an easily discoverable VDP drastically undercuts the effectiveness of the VDP for both researchers and the companies.

Assessing the relative merits of individual VDPs is beyond the scope of this paper, but it should be noted that not all VDPs are created equal—some offer robust "safe harbor" protections for researchers and accidental discoverers when reporting and publishing vulnerabilities, while others seek to bind researchers in restrictive agreements about what can be assessed and how results are to be handled and communicated. For this paper, the mere existence of a VDP, no matter how liberal or restrictive, counts as a positive.

Results: Prevalence of VDP adoption

In January 2019, Casey Ellis, founder of Bugcrowd, remarked in a blog post that "only 9% of the Fortune 500 run vulnerability-disclosure programs.” Therefore, the most surprising finding in this 2021 survey is that nearly 20% of the Fortune 500 signal a VDP. We were able to discover 99 vulnerability-disclosure programs across the 500 companies investigated in January 2021. Even more heartening is that among the top 100 companies, a whopping 46 have a documented, easily discoverable mechanism for reporting product or infrastructure vulnerabilities.

With that bit of good news out of the way, however, we must look at how the rest of the Fortune 500 fares. The figure below breaks the surveyed companies down into quintiles, based on their reported revenues for 2020:

There is a marked drop-off in the presence of a VDP per quintile, except for the last quintile, where there's a marked increase again, matching the third quintile. This rise in the first quintile may be partially explained by the fact that there are twice as many Technology sector companies in the bottom 100 as there are in the second quintile, and 5 out of 10 of those companies do have a VDP. In fact, as we'll see in the next section, Technology is the only sector in the Fortune 500 where the majority of companies have a VDP.

The figure below breaks down the Fortune 500 by industry, and demonstrates that, as one might expect, few industries outside of the technology sector have normalized and internalized vulnerability disclosure as a component of their businesses.

While the technology sector is unsurprisingly at the top of the list, the astute reader will note that this figure is sorted by percentage of companies within that industry that have a VDP, rather than by raw count. This is because the Fortune 500 is dominated by the financial sector—after all, that's where the money is (to borrow Sutton's Law), and it's no surprise that nearly one-fifth of the top-revenue companies in the United States are primarily engaged in financial services. So, while 21 financial-services companies have a VDP, that is only 23% of all financials represented by the Fortune 500, which is nearly the same percentage as those found in the business-services sector and somewhat less than the auto industry.

The key takeaway from this view of the Fortune 500 is that, while all major companies have some technical component (and therefore have technical vulnerabilities), nearly 80% of these top companies in the U.S. outside of the technology sector lack a formal vulnerability disclosure program. While this might be understandable in prior decades, this state of affairs is simply unacceptable in today's hyper-technical business environment.

The lack of VDPs across the upper echelons of American economy discourages the reasonable and responsible disclosure of newly discovered vulnerabilities in their products, services, and infrastructure—after all, VDPs aren't just for reporting software bugs in software applications, but are also useful for reporting the discovery of sensitive data found about customers or company internals left open on insecure cloud storage. It is, of course, possible to disclose vulnerabilities to companies in industries without a formal VDP, but the lack of VDPs introduces inefficiencies for the companies and legal risk to researchers.

Finally, a functioning VDP signals that a given company has made some investment in their overall information-security program, so it stands to reason that the lack of a VDP is signaling the opposite. Every company on this list has a website privacy policy, so every company should have some formal method for receiving and handling vulnerability reports.

CISO takeaways

We are strong proponents of clearly defined, easily discoverable vulnerability disclosure programs. We believe that every company in the Fortune 500 (and beyond) should adopt one.

Launching and running a successful VDP may be tricky—after all, the presence of a VDP implies a level of security maturity that may not yet exist at a given company, so CISOs at organizations without a VDP are strongly encouraged to familiarize themselves with the basics of vulnerability disclosure.

We believe there is a critical mass of CISO expertise in building and maintaining VDPs and that there is plenty of opportunity to learn from the experiences of others in the field. In our experience, not only do CISOs personally enjoy discussing their VDP experiences, but it can be hard to shut them up about it when they get going.

ISO 29147 (Information technology—Security techniques—Vulnerability disclosure) and ISO 30111 (Information technology—Security techniques—Vulnerability handling processes) are excellent starting points for building, maintaining, and improving a vulnerability disclosure program. These ISOs were developed in partnership with internationally recognized experts in the field of vulnerability disclosure, and can help any CISO get a leg up.

Another first-step approach to establishing a minimal VDP is a contact and policy document placed at <hxxps://your-company.com/.well-known/security.txt>. This is a relatively new standard for VDP communication that provides for basic contact-information signaling, readable by both humans and machines.

Want to learn more about the internet-facing cyber-exposure of the Fortune 500? Read our 2021 Industry Cyber-Exposure Report (ICER): Fortune 500.