Proactive, Responsible Disclosure Is One Crucial Way Fortinet Strengthens Customer Security

The cybersecurity industry continues to grow and mature. As a part of this process, we must collectively raise the topic of—and discuss the need for—ethical rules for handling the disclosure of vulnerabilities, especially given the many benefits of providing such intelligence in protecting customers against cyber adversaries. Nearly all vulnerabilities that cybercriminals target today can be traced back to software coding errors. Knowing about them before they can be exploited is vital in helping organizations protect their devices, businesses, and customers.

As a driving force in the evolution of cybersecurity, we are committed to being a role model in ethical and responsible product development and vulnerability disclosure. We have a longstanding commitment to responsible radical transparency, which includes proactively upholding the highest standards for responsible disclosure practices, which align with international and industry best practices.

Our industry leadership and experience in responsible disclosure efforts date back nearly two decades. This experience includes building and cultivating proactive disclosure channels and following responsible disclosure protocols and action plans, which Fortinet developed, to provide user protections more quickly.

Below, we outline these practices and their value in strengthening the security of our customers and the industry at large.

Industry Principles for Responsible Disclosure Practices

All digital devices and software are built on code. According to one recent industry analysis, an average software code sample contains 6,000 defects per million lines of code. Research conducted at Carnegie Mellon University’s Software Engineering Institute indicates that about 5% of those defects can be exploited, roughly translating to three exploitable vulnerabilities for every 10,000 lines of code.

Vendors need to work to identify, patch, and actively disclose such vulnerabilities and mitigation guidance to protect users before threat actors can abuse them. There are multiple methods for discovering and disclosing vulnerabilities. The first is the result of self-discovery through rigorous code analysis, penetration testing, fuzzing, and similar techniques. Another occurs when third-party threat researchers report discovered vulnerabilities to vendors. Alternatively, an unfortunate method of detection and disclosure is if an organization discovers a vulnerability themselves through active exploitation.

Not all organizations follow the same standards for transparency in vulnerability disclosure – regardless of how they are discovered. While there are international and industry best practices for creating responsible disclosure processes that align with those efforts, those approaches are encouraged yet not enforced, mandated, or adhered to.

Responsible, Radical Transparency Strengthens Cyber Resiliency

At Fortinet, we have a longstanding dedication to proactively incorporating and adhering to best practices aligned with government entities, such as the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, in every aspect of our product development lifecycle. We also proactively and transparently outline in detail our Security Vulnerability Policy that can be found at https://www.fortiguard.com/psirt_policy.

Because of Fortinet’s commitment to rigorous auditing, nearly 80% of Fortinet vulnerabilities discovered in 2023 were identified internally. This proactive approach to seeking out and finding potential vulnerabilities enables us to develop and implement fixes before malicious exploitation can occur. We also work closely with Fortinet customers, independent security researchers, consultants, industry organizations, and other vendors to identify issues.

Timely and ongoing communication with our customers is essential in our efforts to help protect and secure their organizations. Findings reported through these exercises are responded to appropriately, and all remediated issues, whether internally or externally discovered, are transparently and responsibly published through channels such as our Monthly Vulnerability Advisory, published on the second Tuesday of each month. The Fortinet Product Security Incident Response Team (PSIRT) policy diligently balances our commitment to the security of our customers and our culture of researcher collaboration and transparency. There are instances when confidential and advanced customer communications can include early warnings on advisories, enabling our customers to further strengthen their respective security postures before the advisory is released publicly.

This continued commitment to responsible development and disclosure empowers our customers to make informed, risk-based decisions about their security. Keeping customers up to date on vulnerabilities and patches is imperative to help protect their critical assets. Our commitment to security -by-design covers every stage of product development, from concept to end-of-life, and operates in accordance with leading standards such as NIST 800-53, NIST 800-160, NIST 800-218, US EO 14028, and UK TSB.

At the same time, our FortiGuard Labs threat researchers actively hunt for vulnerabilities across the digital landscape. As a result, they consistently discover and report zero-day threats in third-party software and hardware and have responsibly disclosed over 1020 zero-days to over 100 vendors to date, working to harden infrastructure through responsible disclosure. However, because we also develop our own hardware and software, we understand that these vendors need an opportunity to resolve vulnerabilities before the vulnerability is more widely known and adversaries can exploit them. We follow industry best practices of notifying developers of newly discovered vulnerabilities and providing them with time to create and apply countermeasures.

All vendors should engage in similar proactive analysis and disclosure practices. Such an approach significantly enhances the safety of the entire cybersecurity ecosystem.

Choosing a Vendor Committed to Responsible Disclosure and Response

We understand that organizations today have a heightened awareness of security. When selecting suppliers, they have a choice in who and what they trust to deploy on their networks. Our PSIRT program provides organizations with the vital information they need to make risk-based decisions, including:

• Publicly available PSIRT policies and advisories, including all internally discovered issues
• A broad range of independent product security certifications, including FIPS 140-2/3, CC EAL4+, CC NDcPP, and SOC2
• Adherence to the Presidential Executive Order on Improving the Nation’s Cybersecurity, including producing a Software Bill of Materials

In addition to providing patches and updates, we recognize that immediately upgrading is not always an option. Whenever possible, we also offer compensating controls for our customers, which may include:

• Virtual patching: Automatic virtual patching of externally-facing interfaces controlled by Fortinet to enable immediate risk mitigation while supporting a controlled upgrade process
• Automatic upgrades: Upgrade-by-default policy settings to ensure consistent upgrades to the latest patch release
• Workarounds: Configurational changes to mitigate potential risks
• Hardware and file system integrity checking: Hardware chain of trust in the BIOS and FortiSP5 ASIC for secure boot functionality

A Call to the Industry: Doing the Right Thing for the Security of our Society

Fortinet is committed to careful internal code testing and analysis, coordination with external threat researchers, validation through third-party vendors, and transparent disclosure of discovered vulnerabilities. We apply this same level of integrity to every aspect of our business.

We will continue leading the way, proactively modeling leadership, and promoting a code of ethics for responsible vulnerability disclosure. We encourage our industry peers to do the same for the whole industry's betterment.

To learn more about bringing “‘radical transparency”’ to our industry, attend Fortinet’s panel at the annual RSA Conference in San Francisco, “No More Secrets in Cybersecurity: Implementing ‘Radical Transparency’,” on Thursday, May 9, from 10:50 to 11:40 a.m. PT in Moscone South – 156. In this session, you will hear from esteemed industry experts, including leaders from CISA, Cyber Threat Alliance, a former U.S. Department of Homeland Security Undersecretary, and Fortinet, on the importance of cyber transparency and how this plays directly into trust and confidence in the products and solutions used to protect networks and data.

We encourage other technology companies to grow their understanding and familiarity with these critical topics and join the effort to keep all organizations secure through responsible, radical transparency.

Learn more about Fortinet here.