The UK National Cyber Security Centre (NCSC) has released a guideline, dubbed The Vulnerability Disclosure Toolkit, on how to implement a vulnerability disclosure process.
The guidelines highlight the importance for any organization to encourage responsible bug reporting through specifically-defined processes.
A vulnerability disclosure process could help organizations in rapidly address vulnerabilities reported by experts and bug hunters to reduce the risk of compromise.
“The international standard for vulnerability disclosure (ISO/IEC 29147:2018) defines the techniques and policies that can be used to receive vulnerability reports and publish remediation information. The NCSC designed this toolkit for organisations that currently don’t have a disclosure process but are looking to create one.” reads the guideline.
Receiving vulnerability reports reduces the risk that flaws are discovered by adversaries and exploited in attacks in the wild, and improve the security of the products or services of the organization.
“Having a clearly signposted reporting process demonstrates that your organisation takes security seriously. By providing a clear process, organisations can receive the information directly so the vulnerability can be addressed, and the risk of compromise reduced.” states the document. “This process also reduces the reputational damage of public disclosure by providing a way to report, and a defined policy of how the organisation will respond”
The guideline is organized into three main sections, Communication, Policy, and Security.txt. The process for communicating a vulnerability must be clear and well defined, it could be useful to set up a specific path for disclosing the issues (email address or secure web form).
The use of security.txt standard could help to create an easy-to-find section of websites where it is possible to find the contacts and the policy.
The file contains two key fields, “CONTACT”, which includes references to report the flaw (i.e. email or secure web form) and POLICY, a link to the vulnerability disclosure policy of the organization.
The NCSC provided recommendations on how to respond to vulnerability disclosure, for example, it suggests to never ignore any reports and suggest companies to avoid forcing the finder to sign a non-disclosure agreement “as the individual is simply looking to ensure the vulnerability is fixed.”
Another crucial aspect of the Vulnerability Disclosure Toolkit is the policy, it must be clear and have to allow organizations to define expectation from vulnerability reports and their response. It is essential to enable the organization and the finder (the expert who reports the flaw) to confidently work within an agreed framework.
The release of “The Vulnerability Disclosure Toolkit” is just a part of the efforts of the UK Government in the definition of national legislative frameworks.
“Equally, going forward this requirement will be embedded into legislative frameworks. The UK government is currently developing legislation that will require manufacturers of smart devices to provide a public point
of contact as part of a vulnerability disclosure policy. This is also a requirement for other international efforts on smart device security including the standard EN 303 645″ concludes the guide.
(SecurityAffairs – hacking, Vulnerability Disclosure Toolkit)