Part 2: Responsible Disclosure Can Be A Painful Process
This is continuation of Part 1: Cross-Road With Responsible Disclosure.
Out of the 5 institutions I located running the medical software publicly online, only two of them contacted me back for more information. As an aside I discovered that most organizations do not have an easy way for outsiders to contact them regarding issues such as this. Every company / site should have a privacy policy detailing how it details with information handling. Your privacy policy is a great place to put in this process and contact information. A security@example.com would also be a big help for us researchers.
One of the institutions was kind (and responsible) enough to contact me back and let me know that the vendor (after 6 months) had finally released a patch for this vulnerability.
Here are some lessons learned from the process.
The Vendor: If you are a vendor or service provider of software products and services take note. You need to be proactive and take security seriously. You should have a documented public process that researchers and your customers can follow to notify you and get notified about security updates in your product. Companies are feeling the pressures of regulatory compliance and the need for stability and security and will start to demand this. Start now before you fall behind to a wiser competitor.
The Customer: Pressure your vendors into providing quantifiable proof that they have put significant effort into securing the products you purchase from them. For missions critical software ask if they have had a third party security audit. Ask to find out if they keep track of metrics such as; how long does it take to fix a security issue from first report to customer notification. If they keep those metrics, as for them. Find out what they are doing to lower that number. Ask them if they provide proactive notification to their customers on security issues (or if you have to hunt for the info in the sparse content they call the README).
The final post on this series will be the advisory so you can see just how silly, but dangerous this vulnerability was.
