Security icon

Design a Coordinated Vulnerability Disclosure Program

Because it's likely tomorrow’s law.

Get Instant Access to this Blueprint

Contributors

  • Mohnish Dhage, Security Specialist,Stratejm Inc.
  • Athul Jayaram, Security Researcher, HackerOne and Bugcrowd
  • Dolev Farhi, Information Security Team Lead, Paytm Labs
  • Ninad Mathpati, Application Security Engineer, ArisGlobal
  • Kashish Mittal, Head of Security, Microsoft
  • Jean Barkhuizen, Information Security and Compliance Lead, Applause IT Recruitment
  • Sandro Nafzger, Expert for Bug Bounty Programs, sansolutions GmbH
  • Florian Badertscher, Senior Security Analyst Cyber Defense and Lead Bug Bounty Program, Swisscom

Your Challenge

  • Businesses prioritize speed to market over secure coding and testing practices in the development lifecycle. As a result, vulnerabilities exist naturally in software.
  • To improve overall system security, organizations are leveraging external security researchers to identify and remedy vulnerabilities, so as to mitigate the overall security risk.
  • A primary challenge to developing a coordinated vulnerability disclosure (CVD) program is designing repeatable procedures and scoping the program to the organization’s technical capacity.

Our Advice

Critical Insight

  • Having a coordinated vulnerability disclosure program is likely to be tomorrow’s law. With pressures from federal government agencies and recommendations from best-practice frameworks, it is likely that a CVD will be mandated in the future to encourage organizations to be equipped and prepared to respond to externally disclosed vulnerabilities.
  • CVD programs such as bug bounty and vulnerability disclosure programs (VDPs) may reward differently, but they have the same underlying goals. As a result, you don't need dramatically different process documentation.

Impact and Result

  • Design a coordinated vulnerability disclosure program that reflects business, customer, and regulatory obligations.
  • Develop a program that aligns your resources with the scale of the coordinated vulnerability disclosure program.
  • Follow Info-Tech’s vulnerability disclosure methodology by leveraging our policy, procedure, and workflow templates to get you started.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should design a coordinated vulnerability disclosure program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Assess goals

Define the business, customer, and compliance alignment for the coordinated vulnerability disclosure program.

2. Formalize the program

Equip your organization for coordinated vulnerability disclosure with formal documentation of policies and processes.

Guided Implementations

This guided implementation is a four call advisory process.

Guided Implementation #1 - Assess goals

Call #1 - Understand the coordinated vulnerability disclosure process and define the goals of the overall program.

Guided Implementation #2 - Formalize the program

Call #1 - Formalize a coordinated vulnerability disclosure policy.
Call #2 - Use the framework to develop a coordinated vulnerability disclosure plan.
Call #3 - Develop a coordinated vulnerability disclosure workflow diagram.

Search Code: 93615
Published: August 10, 2020
Last Revised: August 10, 2020

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019