Software products are often patchworks of source code from different organizations. Identified vulnerabilities might be relevant to many different players. We investigate companies’ attitudes toward sharing vulnerability information. Does current practice follow contemporary cybersecurity guidelines?

We started with a very ambitious plan for the survey in this study. Initially, we defined a sampling strategy based on large companies on the Swedish stock exchange. We also recruited a student to personally contact the companies to find a suitable person to fill in the questionnaire. In the end, the companies were reluctant to answer our questions, despite our promises not to disclose any sources. We had to do the far too common convenience sampling – as often is the case in SE research.

Why didn’t the potential respondents provide answers? We believe there are two main reasons. First, questions related to security are sensitive (as confirmed by our study) – respondents don’t want to answer unless they appear mature. The questionnaire was also fairly complex with several hard questions – probably answering them properly would require some investigation. Second, our work was not an ordinary anonymous personal opinion survey. Responses were supposed to cover a company. This is hard in large organizations with several business units that might work in different ways. Our study is based on an analysis of responses from 17 companies in Sweden, including 10 large (>250 employees).

Companies are positive but passive

New vulnerabilities are disclosed every day. The biggest database of vulnerabilities is the National Vulnerability Database (NVD) with tens of thousands of new items per year. This leads to an information overload for development organizations since there is a continuous inflow of reports to stay on top of. But how willing are Swedish companies to share information directly with other players in their software ecosystems?

Our results indicate that Swedish companies are willing to share vulnerability information, especially with business partners. However, sharing appears to be reactive rather than proactive. We found no sharing plans in operation, instead companies act when it is needed. Some companies, however, explain that they prefer not to share vulnerability information as it might be harmful, i.e., “security through obscurity”.

Government agencies in Europe and the US tend to promote disclosure and sharing of vulnerability information within the software ecosystem. This policy of collaboration is supposed to improve cybersecurity in the long term. Cybersecurity organizations (BITAG and ISOC) go further and recommend that consumers shall be informed as well. Our results show that companies in Sweden are not at all that mature in vulnerability sharing. We live in a highly connected society, thus we recommend developing the information sharing processes.

Implications for research

• The research community needs to better understand the vulnerability sharing to be to provide validated guidelines in the future.
• There is a potential for research on business models related to vulnerability sharing.
• Research on security change impact analysis for individual vulnerabilities is needed, i.e., supporting analysis on the system level.

Implications for industry

• Most companies must improve their vulnerability management.
• There appears to be a need for a trusted third party to facilitate the sharing of vulnerability information.

Thomas Olsson, Martin Hell, Martin Höst, Ulrik Franke, and Markus Borg. Sharing of Vulnerability Information Among Companies – A Survey of Swedish Companies, In Proc. of the 45th Euromicro Conference on Software Engineering and Advanced Applications, 2019. (link, preprint)  

Abstract

Software products are rarely developed from scratch and vulnerabilities in such products might reside in parts that are either open source software or provided by another organization. Hence, the total cybersecurity of a product often depends on cooperation, explicit or implicit, between several organizations. We study the attitudes and practices of companies in software ecosystems towards sharing vulnerability information. Furthermore, we compare these practices to contemporary cybersecurity recommendations. This is performed through a questionnaire-based qualitative survey. The questionnaire is divided into two parts: the providers' perspective and the acquirers' perspective. The results show that companies are willing to share information with each other regarding vulnerabilities. Sharing is not considered to be harmful neither to the cybersecurity nor their business, even though a majority of the respondents consider vulnerability information sensitive. However, the companies, despite being open to sharing, are less inclined to proactively sharing vulnerability information. Furthermore, the providers do not perceive that there is a large interest in vulnerability information from their customers. Hence, the companies' overall attitude to sharing vulnerability information is passive but open. In contrast, contemporary cybersecurity guidelines recommend active disclosure and sharing among actors in an ecosystem.