When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.
What Is a Coordinated Vulnerability Disclosure Program?
A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.
The Benefits of Coordinated Vulnerability Disclosure
Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:
– Reduced vulnerability impact
The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited.
Consider CVDP as a “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.
– Build internal processes
Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.
– Combined stakeholder response
External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.
– Avoid surprises
When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.
On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.
– Ethical corporate behavior
Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.
5 Steps for Creating a Coordinated Vulnerability Disclosure Program
Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.
1. Create secure reporting channels
As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.
However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like “security.txt” files that identify where and how someone can report a vulnerability to you.
Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.
2. Assess vulnerability severity
Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.
For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.
With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.
Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?
This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.
4. Public awareness
In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.
Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.
5. Assess your response
The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.
Coordination leads to the best outcomes
As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.
Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.
When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.