Today I saw a very neat Tweet by one of my favorite Twitter users, @SwiftOnSecurity:
SwiftOnSecurity@swiftonsecurityOuh nice Google is sending me a new pair of security keys for free. The issue sounds super-obscure though. Appreciate how careful they are since human rights people use this stuff also. myaccount.google.com/replacemykey21:02 PM - 15 May 2019
Let's talk about it.
This is a notice that Google put out to users who owned a Bluetooth Titan Security Key. For readability (and hella SEO), I've copied the text below:
We've become aware of an issue affecting the Bluetooth Low Energy (BLE) Feitian security key. This issue does not affect the USB/NFC version of the Feitian security key. It is still safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available.
Your Feitian security key is affected by this issue if it has a "1", "2", or "3" on the back of the key. If your BLE security key is affected, we're offering a replacement at a highly discounted rate.
I want to draw attention to a couple of snippets in this text to show off how well-made this notice was:
It is still safer to use the affected key instead of no key at all.
Your Feitian security key is affected by this issue if it has a "1", "2", or "3" on the back of the key.
These two snippets illustrate a point that I feel like a lot of public disclosures for security vulnerabilities do not correctly follow: Users care about one thing: "What should I do now?" Unless the user is also in the infosec field, it is very unlikely that they care about any of the following:
How the vulnerability works
What potential negative effects the vulnerability could cause
How widespread the vulnerability is
A demo of the vulnerability
To the public, there is only one thing that matters, and that is "What should I do now?" Because that's the only part that actually affects them. They could perform the recommended action, and then forget about it and live the rest of their lives completely ignoring the vulnerability. And that's perfectly fine!
But here's the kicker: It's not just that you don't have to include extra information past that. If you are writing a disclosure specifically for public consumption, adding that extra information could in fact adversely affect your audience. Imagine if this notice had been a page long, with diagrams, and a video demo of the vulnerability. Users would be more likely to just ignore the vulnerability in its entirety and do nothing, because they are users, and users do that.
At this point, if you're familiar with public disclosures, you may be confused as to why I'm advocating for leaving out essential information for those interested in the vulnerability. In fact, the point I'm trying to make is that, if you're intending for this to be read by the general public, you should think that through, and realize that your audience is not interested in the vulnerability.
Ideally, you actually want two different forms of the disclosure, both for public consumption: One for those interested in the vulnerability (probably infosec people), and one for the general public (probably users who need to do something as the result of a vulnerability). For the infosec one, you should be adding in as much interesting information as you want - This is the group of people who will want to see it. But for the general one, you should be intentionally withholding information like I was describing earlier.
The thing that actually baffles me with how some infosec researchers publicly disclose vulnerabilities is how they will actually just skip the general public disclosure entirely. Making a disclosure for the users is so essential because you get to pre-empt anyone wanting to do it for you. This means:
News sites are less likely to misrepresent what you've found.
News sites are more likely to emphasize what you deem to be the most important aspects of the vulnerability for users.
As a result, the public understanding of the vulnerability will be more correct.
By making this crucial distinction and making two disclosures, you're able to get the best outcome for each of your audiences: The general public knows exactly what they need to do (and nothing else), and the infosec community knows all the details they need to know, and could potentially even contribute to mitigations and such.