The U.K.’s National Cyber Security Center (NCSC) has released a guide to help organizations get started with implementing a vulnerability disclosure process.
The NCSC’s Vulnerability Disclosure Toolkit is intended for organizations of all sizes, but should not be considered an exhaustive guide. It only presents some of the main components of the vulnerability disclosure process.
“It really is in your best interest to encourage vulnerability disclosure. Having a clearly signposted reporting process demonstrates that your organization takes security seriously,” the agency notes.
NCSC encourages companies to implement such a process, to be able to receive reports on security vulnerabilities that may impact their systems, and address them before they are exploited for malicious purposes.
A well-defined vulnerability disclosure program, NCSC argues, prevents reputational damage that public disclosure may cause, and allows companies not only to establish a way to take action on the identified vulnerabilities, but also to inform the reporting entity that the issue is being managed.
According to the agency, a vulnerability disclosure process should not only provide a channel for reporting discovered vulnerabilities, but should also define how the organization would respond, while being “clear, simple and secure.”
“The international standard for vulnerability disclosure (ISO/IEC 29147:2018) defines the techniques and policies that can be used to receive vulnerability reports and publish remediation information. The NCSC designed this toolkit for organisations that currently don’t have a disclosure process but are looking to create one,” the organization notes.
In the NCSC’s opinion, it is essential for the vulnerability disclosure process to have a dedicated communication channel for reporting vulnerabilities. This would not only ensure that the information reaches the right person, but also that they can confirm the reported vulnerability and inform the finder that steps are being taken to address the issue.
A clear policy toward vulnerability disclosure is also essential, as it would inform vulnerability finders of what an organization expects from them, such as how they should contact the organization, what secure communication forms are available, and what information a vulnerability report should include. Furthermore, the policy should also define what the finder can expect to happen once they have reported a bug.
“One of the most important elements of vulnerability disclosure, and a challenge for the finder, is understanding who to contact. Security.txt is a proposed Internet standard and it describes a text file that webmasters can host in the ‘/.well-known’ directory of the domain root. It advertises the organization’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability,” NCSC also notes.
Both contact information and a link to the company’s vulnerability disclosure policy should be included in that file. There’s also an optional encryption field, which should link to the PGP public key the organization wants to use for encrypted communication.
“We believe this proposed standard provides the best mix of ease of implementation and a simple way to advertise your vulnerability disclosure process,” NCSC notes. The agency also provides recommendations on response plans for cross-site scripting (XSS) and subdomain takeover vulnerabilities.
Earlier this month, the United States Department of Homeland Security issued a Binding Operational Directive that requires federal, executive branch, departments and agencies to develop and publish vulnerability disclosure policies.