Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

UK’s NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process

The U.K.’s National Cyber Security Center (NCSC) has released a guide to help organizations get started with implementing a vulnerability disclosure process.

The U.K.’s National Cyber Security Center (NCSC) has released a guide to help organizations get started with implementing a vulnerability disclosure process.

The NCSC’s Vulnerability Disclosure Toolkit is intended for organizations of all sizes, but should not be considered an exhaustive guide. It only presents some of the main components of the vulnerability disclosure process.

“It really is in your best interest to encourage vulnerability disclosure. Having a clearly signposted reporting process demonstrates that your organization takes security seriously,” the agency notes.

NCSC encourages companies to implement such a process, to be able to receive reports on security vulnerabilities that may impact their systems, and address them before they are exploited for malicious purposes.

A well-defined vulnerability disclosure program, NCSC argues, prevents reputational damage that public disclosure may cause, and allows companies not only to establish a way to take action on the identified vulnerabilities, but also to inform the reporting entity that the issue is being managed.

According to the agency, a vulnerability disclosure process should not only provide a channel for reporting discovered vulnerabilities, but should also define how the organization would respond, while being “clear, simple and secure.”

“The international standard for vulnerability disclosure (ISO/IEC 29147:2018) defines the techniques and policies that can be used to receive vulnerability reports and publish remediation information. The NCSC designed this toolkit for organisations that currently don’t have a disclosure process but are looking to create one,” the organization notes.

In the NCSC’s opinion, it is essential for the vulnerability disclosure process to have a dedicated communication channel for reporting vulnerabilities. This would not only ensure that the information reaches the right person, but also that they can confirm the reported vulnerability and inform the finder that steps are being taken to address the issue.

A clear policy toward vulnerability disclosure is also essential, as it would inform vulnerability finders of what an organization expects from them, such as how they should contact the organization, what secure communication forms are available, and what information a vulnerability report should include. Furthermore, the policy should also define what the finder can expect to happen once they have reported a bug.

“One of the most important elements of vulnerability disclosure, and a challenge for the finder, is understanding who to contact. Security.txt is a proposed Internet standard and it describes a text file that webmasters can host in the ‘/.well-known’ directory of the domain root. It advertises the organization’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability,” NCSC also notes.

Both contact information and a link to the company’s vulnerability disclosure policy should be included in that file. There’s also an optional encryption field, which should link to the PGP public key the organization wants to use for encrypted communication.

“We believe this proposed standard provides the best mix of ease of implementation and a simple way to advertise your vulnerability disclosure process,” NCSC notes. The agency also provides recommendations on response plans for cross-site scripting (XSS) and subdomain takeover vulnerabilities.

Earlier this month, the United States Department of Homeland Security issued a Binding Operational Directive that requires federal, executive branch, departments and agencies to develop and publish vulnerability disclosure policies.

Related: Facebook Announces Vulnerability Reporting and Disclosure Policy

Related: DHS Orders Agencies to Patch Critical Vulnerabilities Within 15 Days

Related: Australia’s Intelligence Agency Publishes its Vulnerability Disclosure Process

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.