Once upon a time, software security vulnerabilities were something that businesses usually discussed only internally. The outside world didn’t have to know when risks emerged within a company’s IT systems.
Those days are over. Today, businesses face increasing pressure to disclose vulnerabilities publicly via the procedures laid out in a Vulnerability Disclosure Program (VDP). VDPs define the process by which organizations share information with external stakeholders about vulnerability discovery, assessment, and remediation.
Although VDPs remain optional in most cases, regulatory agencies have begun to encourage them strongly. In the United States, the Cybersecurity & Infrastructure Security Agency (CISA) has developed a platform to help federal agencies manage VDPs. VDPs can also be helpful in meeting the requirements of compliance frameworks like the GDPR, which — although it does not mandate VDPs specifically — includes requirements regarding the disclosure of breaches.
All of the above is to say that if your business doesn’t yet have a VDP in place, now is a good time to start planning for one. This article explains how to do so by discussing how VDPs work, identifying their benefits, and outlining how to manage disclosures about vulnerabilities.
Third-party vendor security stakeholders
The main purpose of a VDP is to ensure that third-party stakeholders know when vulnerabilities that exist within your business’s IT estate may affect them. In general, there are four main types of stakeholders to consider in this regard:
- Users: People who use your software may be impacted by security flaws within that software.
- Vendors: Software suppliers often need to know about vulnerabilities so they can take steps to mitigate the vulnerabilities’ exploitation within the products they offer.
- Finders: Finders are people whose job is to report and track vulnerabilities through, for example, public vulnerability databases. Disclosing vulnerabilities to them ensures that they can alert others to the existence of software flaws that may exist in their own IT estates.
- Coordinators: Coordinators manage the disclosure and mitigation of vulnerabilities by ensuring that vendors are aware of and address the vulnerabilities identified by finders.
Some of these stakeholders, such as users, are “downstream,” meaning they receive products and services from you. Others, like vendors, are “upstream” stakeholders that supply to you. Both types of stakeholders often need to know about vulnerabilities.
Not every vulnerability needs to be disclosed to every stakeholder. VDPs should define procedures that spell out who requires disclosure about which types of risks.
When defining VDP disclosure policies for your organization, consider factors such as:
- Is disclosure legally required? Obviously, if there is a specific mandate to disclose information, then you need to disclose it.
- How many vendors are impacted? If you can confirm that a vulnerability only affects one or two vendors, you may not need to disclose it to every vendor. But if it affects hundreds of vendors or thousands of users, broad disclosure is more warranted, because it will help affected stakeholders to mitigate their risks.
- How transparent are your vendors? If you report a vulnerability to one of your vendors, will that vendor report the issue to other clients, and/or to finders and coordinators? If not, you have a stronger incentive to disclose the vulnerability to finders and coordinators yourself so that the issue can be mitigated.
- How important is the vulnerability to your supply chain? The importance of a given vendor to your supply chain can vary widely, after all, supply chain management comes with its own challenges. From the perspective of your business’s own security, disclosures are most critical when they involve key vendors.
Vendor security disclosure requirements
When in doubt about what to disclose, consider the following guidelines to help you decide:
- What is your relationship? Does the risk involve a strategic alliance partner or a minor supplier? The more important your relationship to the affected organization, the more important it is to disclose the risk.
- Insurance considerations: In some cases, insurance policies may require you to disclose risks.
- Legal obligations: Likewise, laws may mandate disclosures in some cases. Remember, too, that laws can change, so be sure to keep up-to-date about regulatory disclosure requirements that impact your business.
- Risk management: Your decision about what to disclose should be part of a broader third-party risk management strategy that covers your distributors, resellers, and other supply stakeholders. You can make the most accurate decisions about disclosure when you make those decisions within the broader context of risk management.
If you find it difficult to answer questions like these, you can gain clarity by performing an audit of your vendors. Audits allow you to assess the role that each vendor plays in your supply chain.
Latest disclosure requirements from the Transportation Security Administration (TSA)
On the 2nd December 2021 the DHS’s Transportation Security Administration (TSA) announced two new Security Directives and additional guidance for voluntary measures. These are intended to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.
They include the following requirements:
- Report all cybersecurity incidents to CISA within 24 hours.
- Designate a cybersecurity coordinator available to TSA and CISA 24/7.
- Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption should their IT and/or OT systems be affected by a cybersecurity incident.
Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their IT/OT systems.
“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” reported Secretary of Homeland Security Alejandro N. Mayorkas.
The best supply chain is a transparent supply chain
Although it’s certainly not the case that every vulnerability needs to be disclosed to every stakeholder, it is generally a good idea to err on the side of disclosure when defining VDP policies.
The reason why is simple: Disclosures help to ensure transparency within your supply chain, and businesses that have a transparent supply chain are in a better position to protect their own interests, as well as those of their partners and users.
When you don’t operate transparently, your reputation is likely to take a much bigger hit in the event that a major vulnerability emerges and it comes to light that you failed to disclose it. As a supply chain aggregator, disclosure helps your vendors fix vulnerabilities as quickly as possible, which in turn means that you can keep using their products without worrying about security risks.
The future of vendor disclosure
VDPs may remain optional in most cases today, but the writing is on the wall: In the future, VDPs will very likely become an expectation due not just to government regulation, but also to standards set by businesses in various industries.
This means that every vendor and every customer will require an efficient way of notifying both downstream and upstream stakeholders when security events occur. VDP programs allow this by defining ahead of time exactly what to disclose, whom to disclose it to and how to disclose it.
To manage VDPs effectively, you need automation and comprehensive visibility on your side. Findings provides those benefits by allowing businesses to discover and report on security issues automatically, then disclose them to third parties within the supply chain. The result is a stronger collaboration with stakeholders, as well as increased ability to stop cyber threats.
