Vulnerability disclosure is not a choice. It’s a responsibility.

Our take on vulnerability disclosure, after Blackberry's failure to publish CVE-2021-22156.

Yaniv Bar-Dayan | August 26, 2021

Last week, news broke that Blackberry had withheld information from its users about a serious security flaw – for months. In vulnerability disclosure terms, that’s big news. 

What is CVE-2021-22156?

CVE-2021-22156 (known as BadAlloc) is a collection of integer overflow vulnerabilities affecting multiple real-time operating systems and supporting libraries. According to CISA, “exploitation of this vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices.”

In Blackberry’s case, all its programs with dependency on the C runtime library are affected by this vulnerability. This impacts some 200 million cars, medical devices, and parts of the International Space Station. 

What’s interesting to note here is that CVE-2021-22156 had been known to other companies and US Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) since May. 

But while those other organizations came forward to disclose the vulnerability and urge their users to take action, Blackberry failed to declare this major vulnerability, leaving users in the dark over potential risk to their data. 

The importance of vulnerability disclosure

BlackBerry is not the topic of this post. Vulnerability disclosure impact and importance is.

It’s no news that left unattended, critical vulnerabilities can lead to exploits and potential attacks and data breaches. At a minimum, end users trying to maintain robust cybersecurity programs depend on organizations – particularly tech giants – to adhere to vulnerability disclosure policies and ultimately keep their data protected.

In short, an organization not publishing a vulnerability is unprofessional. And without putting Blackberry in the spotlight, this is a significant event from which we should all be learning as we take our cybersecurity programs forward. 

It may be tempting to keep vulnerabilities to yourself, fix them internally, and save yourself some bad PR. But this is a fear-based, short-sighted approach. In large organizations, critical vulnerabilities can often go untouched until it’s already too late.

Some organizations might want to avoid the embarrassment of admitting to a serious vulnerability living in their systems (although EVERYONE has them). But a zero-day vulnerability left undeclared is much worse than a flaw flagged and publicized. Publishing the vulnerability – ideally with a fix – lets those affected mitigate and remediate the risk on their own terms. 


Our shared commitment to the cyber community

As cybersecurity professionals, we must look beyond potential bad press and look to always preserve the cyber integrity of our systems, and keep our users informed of any potential issues. 

Especially in the world of cyber risk, our behavior must be dictated by our values. And at Vulcan, we believe in a culture of fix, where teams feel empowered to proactively find, share, and ultimately fix vulnerabilities as part of a combined effort across their organizations. 

Here’s one way to start: Use Remedy Cloud – a free database detailing the latest vulnerabilities, who they affect and, most importantly, how to fix them. You’ll find 2 workarounds for CVE-2021-22156 so you can #getfixdone.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy