This article covers some ways I’ve gotten security bugs fixed inside a company.

Finding bugs is a technical problem, fixing them is a human problem.

Hacking: Exciting.
Finding bugs: Exciting.
Fixing those bugs: Not exciting.

The thing is, the finish line for our job in security is getting bugs fixed¹, not just found and filed. Doing this effectively is not a technology problem. It is a communications, organizational² and psychology problem.

A decade ago on the Microsoft vista pentest we³ found some bugs. Then as we worked to get those bugs fixed we got a lot of excuses back: “but that would be illegal”, “just a denial of service”, “ but its a perf hit”, “but the victim would have to click on it”. This happened enough times that a bingo board of the excuses took shape:

Fixing involves excuses. The excellent full story is here.

The point is it is sometimes a hassle to get security bugs fixed and this isn’t a new problem. It is common for critical security flaws are fixed quickly but the long tail of lower-priority issues (that should still be fixed!) to drag on.

Over the years I’ve gotten a lot better at getting these type of issues fixed.

Things that worked for me:

Conclusion

I’ve seen many exasperated security people lean too heavily on the moral component of fixing security bugs (its the right thing to do, how could you not!) and be surprised when that plea doesn’t resonate.

Security is an inherently cross-functional discipline. We have to work across many teams of varying qualities and enthusiasm for security. The social engineering to getting bugs fixed can be complex so hopefully these notes help.

Footnotes

1. Not just found and fixed but prevented for next time, eradicated across the codebase, well-understood by the company. I am using “fixed” as shorthand.

2. This all assumes you work at a company that cares about security and has the appetite to fix things but just isn’t getting it done. I’ve written about this with more color around how to start from zero here.

3. I played a small part here finding a few bugs and mostly heard this story from others after walking past this board.