Why vulnerability disclosure is key to being a responsible vendor

What does it mean to be a responsible vendor? This week, Steve Bell shines a spotlight on product vulnerabilities and the risk of not publishing them quickly. He examines what it means to be a responsible in business and shares what Gallagher is doing to meet its own high expectations.


What does it mean to be a responsible vendor and what does Gallagher offer in that respect?

Being a responsible vendor is about making sure we’ve got a product that does the specified functions, so for us it has to be good at physical access control. Then we’ve got to look at the structure of the product components and look at all the possible security areas that could become problems.

We’re slightly different at Gallagher in that we have taken a different approach to many in the industry – we’ve taken a whole end-to-end ecosystem approach. We have our server components for administration and database, and then the controller, which is the embedded device that gets screwed to a wall and makes the live access decisions. We’ve created secure links between our server and controller, and from controller to controller.

We also have our own range of edge devices. So for physical access control, that’s often the card reader. For some of the other areas like intruder alarms, we’ve got input sensors and devices, as well as a perimeter device and perimeter system.


There used to be resistance, but now it seems that the industry mindset has shifted to being very proactive about publishing vulnerabilities. Gallagher recently became a CVE Numbering Authority – what is that all about?

Common vulnerabilities and exposures (CVE) is a database set up by MITRE in the US. It’s a place for the reporting and publishing of vulnerabilities of different software systems. Pretty much all the big players in the world contribute to it, and in parallel to that there’s a CVSS (Common Vulnerability Scoring System), which is a way of classifying that vulnerability into ‘critical’, ‘high’, ‘medium’ and ‘low’.

It’s a standardised system that a lot of companies are using. When you do an assessment of a vulnerability, you can see how that maps to a real-world situation. It takes into account the different sorts of environments, the type of problem, etc.

So the decision to become a Numbering Authority was really just about taking our responsibility a little bit further. We want to make sure we understand as much as we can about that whole process.


What’s the benefit for the customer to have the CVE Numbering Authority in place?

It’s probably not directly seen as a benefit by the vendor, other than seeing that the company is taking it seriously. The benefit for the customer is that a software supplier will actually publish their vulnerabilities so that they can monitor the vulnerability list and see if any business system they are relying on has a vulnerability.

We will attempt to notify all our customers of vulnerabilities in our system independently of the CVE system, but sometimes it can be hard to get that information out to the customers. We see the CVE as a catch-all for those enterprise customers that might not have seen the vulnerabilities through our normal process.


How do you balance the need to notify clients, while ensuring you don’t increase their risk by alerting bad actors in advance of releasing a patch?

We’ve trialled a few different flavours of that process. What we’re doing at the moment is that we don’t publish it on the CVE site until all our channel partners are notified first. We give them some time to work with the customer to plan and upgrade if the issue affects them. Then we’ll release all the upgrades, and then a period of time later we’ll publish it.

By doing this, we’re giving customers the best opportunity to actually get themselves upgraded and protected before the CVE notification is published.


What would you say have been the biggest takeaways on your journey to becoming a responsible vendor?

The big thing for us was getting involved in government security systems, in a number of countries. We find there’s quite a lot of compliance to meet the needs of the governments. They vary by country and they have different focuses, but overall, they’re creating high security from an angle that they value.

But then we think about our enterprise customers. Seven or eight years ago, we saw that when we were trying to win a new customer, they would take our system and put it through a penetration test before they would let it go beyond their network and actually purchase it. That pointed out to us how critical that testing process was.

Since then, we’ve instigated a cybersecurity team in our own right. We’ve trained the team in a course about offensive penetration testing, and then we got our process for publishing CVEs up and going. The latest step was becoming a Numbering Authority.

We’re really just making a commitment to do things well. One of our big guiding principles is getting security designed into our product from the start, on everything we do. That’s what we’re doing to be a more responsible vendor.


Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.