Redazione RHC : 27 July 2025 09:50
We often talk about responsible vulnerability disclosure, but as we’ve already seen, very often this doesn’t happen with a well-regulated approach, although there are several international ideas and best practices, including within ENISA.
Therefore, it’s safe and correct to disclose vulnerabilities responsibly, and it’s important to do so.
This allows the entire software industry to improve, to improve all public vulnerability detection products, as well as to make everyone aware that a patch is needed for a specific product that fixes a dangerous zero-day.
But still Today, many companies are reluctant to activate bug bounty or responsible disclosure programs and always tend to avoid what is called full disclosure (following coordinated vulnerability disclosure), that is, the complete publication of the payloads related to the specific vulnerability.
This is often done by issuing patches without telling the world that a dangerous zeroday has been fixed, thinking that having CVEs published on the National Vulnerability Database (NVD) of the United States of America will cause damage to their brand and web reputation.
But this is wrong behavior because it fails to protect transparency towards consumers, as well as creating closure and an increase in undocumented vulnerabilities, forgetting that this is a right of all customers who purchase a certain hardware product or Software.
There is no software without vulnerabilities, even with the best secure development processes. Therefore, active collaboration with bug researchers, if well-managed, can dramatically improve product security, benefiting both researchers and companies equally.
All large companies should have a CNA (CVE Numbering Authority), which means they should be able to independently assign CVEs following the discovery of new security flaws responsibly disclosed by bug researchers.
This is a path that cannot be implemented overnight, but it is important to think about it, especially for those who develop software and sell it internationally.
Do you remember the beginning of the coronavirus emergency and how much we talked about Zoom bugs? Initially, the company believed that security wasn’t an enabling value—there was talk of fake e2e encryption and non-compliant security policies—but then a 90-day plan was launched to restore the company’s cyber posture, complete with a bug bounty program in hackerone and the purchase of the security company Keybase, which specializes in data encryption.
Imagine that there are companies that bring their products to events, where the aim is to search for unclassified vulnerabilities by paying researchers for this effort, in addition to giving away the products themselves and then issuing CVEs.
I’m talking about Pwn2own, I’m talking about Tesla, which gave away a Model 3 to researchers who had discovered zerodays, but also about Microsoft, Apple, Google, and many others who understood that actively collaborating with researchers rewards both, transparently, as well as protecting all their customers.
All this is true; it’s a journey that doesn’t happen overnight, but only those companies that understand the importance of the hacker community’s help in improving their products will be able to succeed in the near, challenging future.
Redazione