Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.

Security icon

Design a Coordinated Vulnerability Disclosure Program

Because it's likely tomorrow’s law.

  • Businesses prioritize speed to market over secure coding and testing practices in the development lifecycle. As a result, vulnerabilities exist naturally in software.
  • To improve overall system security, organizations are leveraging external security researchers to identify and remedy vulnerabilities, so as to mitigate the overall security risk.
  • A primary challenge to developing a coordinated vulnerability disclosure (CVD) program is designing repeatable procedures and scoping the program to the organization’s technical capacity.

Our Advice

Critical Insight

  • Having a coordinated vulnerability disclosure program is likely to be tomorrow’s law. With pressures from federal government agencies and recommendations from best-practice frameworks, it is likely that a CVD will be mandated in the future to encourage organizations to be equipped and prepared to respond to externally disclosed vulnerabilities.
  • CVD programs such as bug bounty and vulnerability disclosure programs (VDPs) may reward differently, but they have the same underlying goals. As a result, you don't need dramatically different process documentation.

Impact and Result

  • Design a coordinated vulnerability disclosure program that reflects business, customer, and regulatory obligations.
  • Develop a program that aligns your resources with the scale of the coordinated vulnerability disclosure program.
  • Follow Info-Tech’s vulnerability disclosure methodology by leveraging our policy, procedure, and workflow templates to get you started.

Design a Coordinated Vulnerability Disclosure Program Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should design a coordinated vulnerability disclosure program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Design a Coordinated Vulnerability Disclosure Program – Executive Brief
Design a Coordinated Vulnerability Disclosure Program – Phases 1-2

1. Assess goals

Define the business, customer, and compliance alignment for the coordinated vulnerability disclosure program.

Design a Coordinated Vulnerability Disclosure Program – Phase 1: Assess Goals
Information Security Requirements Gathering Tool

2. Formalize the program

Equip your organization for coordinated vulnerability disclosure with formal documentation of policies and processes.

Design a Coordinated Vulnerability Disclosure Program – Phase 2: Formalize the Program
Coordinated Vulnerability Disclosure Policy
Coordinated Vulnerability Disclosure Plan
Coordinated Vulnerability Disclosure Workflow

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Concordia University of Edmonton

Guided Implementation

10/10

$10,000

20

Design a Coordinated Vulnerability Disclosure Program preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 2-phase advisory process. You'll receive 4 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Assess goals
  • Call 1: Understand the coordinated vulnerability disclosure process and define the goals of the overall program.

Guided Implementation 2: Formalize the program
  • Call 1: Formalize a coordinated vulnerability disclosure policy.
  • Call 2: Use the framework to develop a coordinated vulnerability disclosure plan.
  • Call 3: Develop a coordinated vulnerability disclosure workflow diagram.

Author

Michelle Tran

Contributors

  • Mohnish Dhage, Security Specialist,Stratejm Inc.
  • Athul Jayaram, Security Researcher, HackerOne and Bugcrowd
  • Dolev Farhi, Information Security Team Lead, Paytm Labs
  • Ninad Mathpati, Application Security Engineer, ArisGlobal
  • Kashish Mittal, Head of Security, Microsoft
  • Jean Barkhuizen, Information Security and Compliance Lead, Applause IT Recruitment
  • Sandro Nafzger, Expert for Bug Bounty Programs, sansolutions GmbH
  • Florian Badertscher, Senior Security Analyst Cyber Defense and Lead Bug Bounty Program, Swisscom

Related Content: Threat Intelligence & Incident Response

Search Code: 93615
Last Revised: August 10, 2020

TAGS:

Bug Bounty Program, Bug Bounty, Responsible Disclosure, Good faith reporting
Visit our IT’s Moment: A Technology-First Solution for Uncertain Times Resource Center
Over 100 analysts waiting to take your call right now: +1 (703) 340 1171
© Info-Tech Research Group | Terms of Use | Privacy Policy