Design a Coordinated Vulnerability Disclosure Program
Because it's likely tomorrow’s law.
- Businesses prioritize speed to market over secure coding and testing practices in the development lifecycle. As a result, vulnerabilities exist naturally in software.
- To improve overall system security, organizations are leveraging external security researchers to identify and remedy vulnerabilities, so as to mitigate the overall security risk.
- A primary challenge to developing a coordinated vulnerability disclosure (CVD) program is designing repeatable procedures and scoping the program to the organization’s technical capacity.
Our Advice
Critical Insight
- Having a coordinated vulnerability disclosure program is likely to be tomorrow’s law. With pressures from federal government agencies and recommendations from best-practice frameworks, it is likely that a CVD will be mandated in the future to encourage organizations to be equipped and prepared to respond to externally disclosed vulnerabilities.
- CVD programs such as bug bounty and vulnerability disclosure programs (VDPs) may reward differently, but they have the same underlying goals. As a result, you don't need dramatically different process documentation.
Impact and Result
- Design a coordinated vulnerability disclosure program that reflects business, customer, and regulatory obligations.
- Develop a program that aligns your resources with the scale of the coordinated vulnerability disclosure program.
- Follow Info-Tech’s vulnerability disclosure methodology by leveraging our policy, procedure, and workflow templates to get you started.
Design a Coordinated Vulnerability Disclosure Program
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should design a coordinated vulnerability disclosure program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Assess goals
Define the business, customer, and compliance alignment for the coordinated vulnerability disclosure program.
2. Formalize the program
Equip your organization for coordinated vulnerability disclosure with formal documentation of policies and processes.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Try Our Guided Implementations
Get the help you need in this 2-phase advisory process. You'll receive 4 touchpoints with our researchers, all included in your membership.
Guided Implementation #1 - Assess goals
- Call #1 - Understand the coordinated vulnerability disclosure process and define the goals of the overall program.
Guided Implementation #2 - Formalize the program
- Call #1 - Formalize a coordinated vulnerability disclosure policy.
- Call #2 - Use the framework to develop a coordinated vulnerability disclosure plan.
- Call #3 - Develop a coordinated vulnerability disclosure workflow diagram.
Contributors
- Mohnish Dhage, Security Specialist,Stratejm Inc.
- Athul Jayaram, Security Researcher, HackerOne and Bugcrowd
- Dolev Farhi, Information Security Team Lead, Paytm Labs
- Ninad Mathpati, Application Security Engineer, ArisGlobal
- Kashish Mittal, Head of Security, Microsoft
- Jean Barkhuizen, Information Security and Compliance Lead, Applause IT Recruitment
- Sandro Nafzger, Expert for Bug Bounty Programs, sansolutions GmbH
- Florian Badertscher, Senior Security Analyst Cyber Defense and Lead Bug Bounty Program, Swisscom