Relations between developers and security researchers is critical, but it’s no secret they’re often fraught.
GitHub first announced that it was expanding its research to more fully understand the relationship between developer and security research communities in December 2020. The initial analysis, conducted by GitHub Security Lab, has now been released.
For its debut analysis, Github focused on the vulnerability disclosure process—of which there is currently no industry-wide standard. GitHub notes how entities such as Google’s Project Zero, the GitHub Security Lab, Snyk, HackerOne, and VuSec all have their own unique disclosure process. GitHub believes an increased understanding of the relationship between stakeholders could lessen the impact of this lack of process uniformity.
Before we delve into the findings, it’s worth noting that GitHub makes clear this report is primarily from the perspectives of maintainers. The company says it plans to include more insights from the perspectives of security researchers later this year.
On the whole, maintainers who participated in the survey (conducted via remote interview sessions between November 2020 and March 2021), had little to no engagement with the security research community beyond the vulnerability disclosure process.
To increase engagement, it seems the security research community has some work to do, Many maintainers reported that they don’t find the security research community particularly welcoming. However, maintainers are still open to learning some basic knowledge of security research.
“Everyone has different priorities … it creates conflict. If everybody understands each other’s priorities, [then] usually you can make decisions and understand trade offs,” one maintainer explained. “Everyone is at least less unhappy about the result.”
“Security doesn’t work unless everyone is on board [and] aligned with those priorities. Everyone involved needs to understand that security is important.”
Understandably, maintainers feel a range of emotions when a vulnerability is reported, including anxiety and stress.
“My initial emotional response is ‘Oh no, how bad is it now?’ It’s never fun being on the receiving end. It depends on the severity of the impact,” said another maintainer. “Should I drop my professional work to fix it? If [it’s] critical enough, I sometimes do that.”
Maintainers appreciate constructive feedback through private channels. They generally don’t expect remediation advice but appreciate it when it’s offered. If feedback is negative, or a personal attack, maintainers tend to ignore it.
Participants often felt capable of addressing vulnerabilities with the common 90-day coordinated disclosure remediation window.
Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit, taking place on 1 February 2022, where attendees will learn about the benefits of building collaboration and partnerships in delivery.