When it comes to cybersecurity, discovering vulnerabilities is often the easy part. What tends to be challenging is figuring out where to disclose vulnerabilities once you’ve discovered them.
If someone inside your business or supply chain discovers a vulnerability but fails to report it to the people who need to know about it, the vulnerability may as well not have been discovered at all. It’s only by disclosing and reporting vulnerabilities that stakeholders can remediate them, while also taking steps to avoid falling victim to them until their root cause is addressed.
That’s why establishing vulnerability disclosure programs and policies is critical to cybersecurity success – not to mention the overall health of your business. Setting up a VDP places you ahead of competitors who lack one. It also sends a clear message to vendors, customers, partners, employees and other stakeholders that you take cybersecurity seriously and operate with transparency when you discover vulnerabilities. And it establishes clear policies, robust communication channels and backend processes that help you resolve vulnerabilities and risks quickly.
But how do you actually create a security VDP initiative? What goes into a VDP, and how do you ensure your VDP application covers all security requirements? Keep reading for answers to those questions as we walk through the five major components of a VDP “roadmap” that can support teams and project managers when it comes to disclosing and reporting on vulnerabilities and ensuring they get back to the Cybersecurity Infrastructure and Security Agency (CISA). CISA which plays a leading role in managing vulnerabilities (and which has also, incidentally, developed a new VDP platform because it recognizes how crucial – and challenging – effective VDP security can be).
VDP security step 1: Outline your goals
Creating a VDP to reinforce your security strategy starts with determining exactly what you hope to get out of your VDP.
Ask questions such as:
- What is the driving factor for your VDP? Having a clear VDP program is essential if you want to work with US officials. Do you want to promote increased security, improve coordination between teams, increase vulnerability visibility or something else? While VDP security operations can do all of these things, you may choose to prioritize one of them in particular.
- What are your main VDP pain points? What’s currently getting in the way of vulnerability disclosure? Is it a lack of employee education or lack of communication channels, for instance?
- What role does your VDP play in your overall business? VDPs don’t just serve security purposes. They can also help you achieve business goals by developing a unique selling proposition..
Once you know your main VDP security goals, you can build and use a VDP application tailored to them.
VDP security step 2: Assign responsibilities, develop policies
To start building your program, you need to map responsibilities to stakeholders, then establish policies that define who does what within the context of vulnerability disclosure. CISA offers a template that may be helpful for this purpose.
Identify, for starters, who needs to be aware of the program and who needs to participate in it. Then go deeper by defining specific responsibilities for collecting, analyzing and reporting on vulnerabilities.
Outline as well which security policies your vendors need to adhere to, and how you’ll keep those policies up-to-date. And determine whether vulnerability disclosers will be allowed to remain anonymous. An anonymous disclosure does not make the disclosure any less important. A researcher may simply not want their name on any of the disclosure notes.
Ultimately, your goal during this step should be to lay the groundwork for a community that helps itself with vulnerability disclosure and management.
VDP security step 3: Integrate VDP into your processes
Vulnerability disclosure processes shouldn’t exist in a silo. Instead, they should be integrated into your routine business operations, and your VDP policies map should reflect this.
For example, your VDP should outline how software development, testing and deployment operations interface with VDP reporting requirements. It should also define exactly which tests should be run in an effort to discover vulnerabilities.
By establishing these processes, you not only gain efficiency when it comes to managing vulnerabilities. You also set clear guidelines that employees, researchers and vendors should follow to ensure that all vulnerabilities are discovered and disclosed effectively. You should give CISOs and researchers enough scope so that they can provide valuable feedback, but not so much scope that your team can’t keep up with the incoming reports.
These policies may also help to drive VDP automation by making it possible to automate VDP discovery and reporting within the context of routine business operations. Education is key across the organization and a security culture needs to be embedded into the fabric of your business.
VDP security step 4: Evaluate vendors
Once you’ve determined which VDP policies your business needs to meet, it’s time to evaluate your vendors and perform due diligence to confirm that they align with your requirements.
Rank your vendors according to their overall security postures. You can sort them into three categories: High security, medium security or low security.
From there, choose which vendors require more monitoring, and which pose such security risks that you can’t work with them. You should also highlight vendors with excellent security records, since you may want to target them for long-term partnerships.
To validate your vendor assessments, collect documentation, including the frameworks and security rules that the vendors adhere to internally. Keep these documents secure and update them periodically because they may change.
VDP security step 5: Continuously monitor and audit VDP compliance
After rolling out your VDP policies and vetting vendors, you need to monitor, measure and audit continuously to ensure that stakeholders continue to follow the guidelines. Your goal here is to ensure that everyone – including internal users like your employees, as well as vendors and other external parties – remain in compliance with VDP policies you establish.
To make this process efficient, you’ll want to automate it as much as possible. Automation also ensures that you can scale your business as VDP requirements grow continuously more complex, and as you integrate more vendors and other stakeholders into your operations.
With VDP, everyone wins (except the bad folks)
Establishing clear, transparent and actionable VDP rules is a win-win for everyone (except, of course, the threat actors who want to exploit vulnerabilities). It lays the foundation for effective collaboration while also strengthening relationships with both internal and external stakeholders. And it facilitates the fast resolution of vulnerabilities and breaches by getting vulnerability data to organizations like CISA as rapidly as possible.
Findings bakes VDP into their platform, making VDP security an effortless operation. With Findings, you can both discover and report on vulnerabilities across your business’s supply chain. Findings bakes the “switch” for vulnerability disclosure directly into your business operations, making your VDP processes efficient, scalable and all-encompassing.