Articles

MITA’s CYBER Breakfast Event Explores Coordinated Vulnerability Disclosure & its Challenges in Malta

Promoting Responsible Disclosure and Strengthening Cybersecurity Ecosystems

The National Cybersecurity Coordination Centre (NCC), under the auspices of the Malta Information Technology Agency (MITA) recently hosted its third CYBER Breakfast event of the year, focusing on the vital topic of Coordinated Vulnerability Disclosure (CVD). 

Held at the AX Palace Hotel in Sliema on September 12, 2023, the event gathered cybersecurity professionals, experts, and enthusiasts to delve into the world of responsible disclosure and its implications. 

Demystifying Coordinated Vulnerability Disclosure

Kicking off the event, Kirsten Cremona, Senior Manager at PwC Malta, provided a comprehensive overview of Coordinated Vulnerability Disclosure (CVD). 

CVD refers to a structured process by which cybersecurity professionals work collaboratively with vendors and infrastructure owners to share information about vulnerabilities. This approach ensures minimal risk of mass exploitation and allows for coordinated responses, including informing the public and providing remediation steps. 

Mr. Cremona emphasised the importance of vendor transparency in this process. Responsible disclosure within CVD involves ethical hackers and researchers discreetly identifying vulnerabilities and notifying the affected entity, reducing the risk of further damage. However, coordinated public disclosure remains crucial for transparency, especially for end-users.

Several key elements underpin the success of CVD:

Policy: Clear policies on how to disclose vulnerabilities and coordinate efforts.

Key Stakeholders: Identification of key individuals and organisations involved in the process.

Tools: Dedicated tools and platforms for submitting vulnerability information.

Awareness Campaigns: Raising awareness about the importance of CVD.

Operational Procedures: Establishing dedicated Standard Operating Procedures (SOPs) for handling vulnerabilities.

In contrast to CVD, two other forms of vulnerability disclosure gained popularity in recent years, including Full Disclosure, which involves publicly disclosing all information about a discovered vulnerability, increasing pressure on vendors to address the issue promptly; and Private Disclosure, where ethical hackers directly notify vendors about vulnerabilities without public disclosure.

Unlike these approaches, CVD follows a structured process involving a finder of the vulnerability, a coordinator who receives and confirms reports, and the vendor or deployer responsible for patching the vulnerability.

Challenges in Implementing CVD in Malta

During the panel discussion involving the same Mr. Cremona, Mr. Martin Camilleri from MITA and Dr. Christian Bonnici West from the University of Malta, and moderated by Dr. Ian Gauci from GTG Advocates, they explored the challenges faced when implementing a national or private CVD in Malta. These challenges included the need to address concerns related to legislation, data protection laws, and distinguishing between ethical and malicious hacking; the importance of ensuring organisations have the resources, skillsets, and incentives to participate in CVD; and the need to encourage and incentivize ethical hackers and researchers to engage in CVD efforts.

The breakout sessions provided invaluable insights and potential solutions to the challenges at hand. From a legal perspective, participants discussed the need for changes in national laws and policies governing CVD, as well as the idea of establishing registration with a central agency for ethical hackers to promote a safer testing environment. 

On the political front, the emphasis was on advocating a bottom-up approach to cybersecurity laws, involving academia, incentivizing students to pursue careers in the field, and fostering collaboration between the state and industry. 

Addressing economic aspects  was a call to increase interest in cybersecurity through educational programs, offer tax incentives for hiring technical personnel, and recognize and promote companies with effective CVD policies. 

In terms of ecosystem maturity, the consensus leaned towards proactive measures, tackling legacy software issues, differentiating between CVD and penetration testing, and highlighting the pivotal role of culture and the criminal code in shaping cybersecurity practices.

By promoting responsible disclosure and strengthening the cybersecurity ecosystem, Malta is taking significant steps toward a safer digital landscape. The event’s discussions and outcomes highlight the importance of collaboration, awareness, and policy development in the realm of cybersecurity.

This article is co-funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.