Design a Coordinated Vulnerability Disclosure Program

Because it's likely tomorrow’s law.

Do not fill in this field

Enter no text in this field

Get Instant Access to this Blueprint

Full Name

Company

Phone

Job Title

Unlock This Blueprint

Contributors

Mohnish Dhage, Security Specialist,Stratejm Inc.
Athul Jayaram, Security Researcher, HackerOne and Bugcrowd
Dolev Farhi, Information Security Team Lead, Paytm Labs
Ninad Mathpati, Application Security Engineer, ArisGlobal
Kashish Mittal, Head of Security, Microsoft
Jean Barkhuizen, Information Security and Compliance Lead, Applause IT Recruitment
Sandro Nafzger, Expert for Bug Bounty Programs, sansolutions GmbH
Florian Badertscher, Senior Security Analyst Cyber Defense and Lead Bug Bounty Program, Swisscom

Your Challenge

Businesses prioritize speed to market over secure coding and testing practices in the development lifecycle. As a result, vulnerabilities exist naturally in software.
To improve overall system security, organizations are leveraging external security researchers to identify and remedy vulnerabilities, so as to mitigate the overall security risk.
A primary challenge to developing a coordinated vulnerability disclosure (CVD) program is designing repeatable procedures and scoping the program to the organization’s technical capacity.

Our Advice

Critical Insight

Having a coordinated vulnerability disclosure program is likely to be tomorrow’s law. With pressures from federal government agencies and recommendations from best-practice frameworks, it is likely that a CVD will be mandated in the future to encourage organizations to be equipped and prepared to respond to externally disclosed vulnerabilities.
CVD programs such as bug bounty and vulnerability disclosure programs (VDPs) may reward differently, but they have the same underlying goals. As a result, you don't need dramatically different process documentation.

Impact and Result

Design a coordinated vulnerability disclosure program that reflects business, customer, and regulatory obligations.
Develop a program that aligns your resources with the scale of the coordinated vulnerability disclosure program.
Follow Info-Tech’s vulnerability disclosure methodology by leveraging our policy, procedure, and workflow templates to get you started.

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should design a coordinated vulnerability disclosure program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Design a Coordinated Vulnerability Disclosure Program – Executive Brief

1. Assess goals

Define the business, customer, and compliance alignment for the coordinated vulnerability disclosure program.

2. Formalize the program

Equip your organization for coordinated vulnerability disclosure with formal documentation of policies and processes.

Guided Implementations

This guided implementation is a four call advisory process.

Guided Implementation #1 - Assess goals

Call #1 - Understand the coordinated vulnerability disclosure process and define the goals of the overall program.

Guided Implementation #2 - Formalize the program

Call #1 - Formalize a coordinated vulnerability disclosure policy.

Call #2 - Use the framework to develop a coordinated vulnerability disclosure plan.

Call #3 - Develop a coordinated vulnerability disclosure workflow diagram.

Search Code: 93615
Published: August 10, 2020
Last Revised: August 10, 2020

TAGS:

Bug Bounty Program, Bug Bounty, Responsible Disclosure, Good faith reporting