The U.S. Federal Trade Commission (FTC) recently stated that organizations should begin to incorporate vulnerability disclosure programs (VDPs), which allow good-faith security researchers to find and report bugs, into their cybersecurity strategy.
The U.S. Department of Justice (DOJ) echoed this opinion in its Framework for a Vulnerability Disclosure Program for Online Systems, which provides a framework for a good VDP.
Still, a recent study by HackerOne found that 94 percent of organizations in the Forbes Global 2000 don’t currently have any method in place for researchers to report potential security issues that they find. This is disturbing, given that VDPs are likely to become legally binding soon.
In fact, U.S. federal agencies were already required to implement vulnerability disclosure policies by March 2021, according to the Cybersecurity and Infrastructure Security Agency (CISA).
In this post, we’ll discuss what a vulnerability disclosure policy is and why your organization needs one.
What is a vulnerability disclosure policy?
A VDP is a way of providing a secure method for researchers to report security issues found in your information technology (IT) systems. VDPs also include guidelines or processes for remediation and mitigation of those issues or bugs.
The methodology for the VDP came from the DoJ’s Criminal Division, Cybersecurity Unit to help researchers and organizations avoid any fraud-related misunderstandings according to the CFAA (Computer Fraud and Abuse Act).
What is a security vulnerability report?
A security vulnerability report, otherwise known as responsible disclosure, is a report provided by security researchers that include the identified bugs or security risks that exist within a software or environment.
What are the different types of security disclosure reports?
Vulnerability disclosures typically include the third-party vendor or developer responsible for the product being researched, plus the researcher(s) in charge of identifying the vulnerability. These disclosures can take one of a few forms:
- Self-disclosures. These are used when product manufacturers discover flaws on their own and disclose them publicly, in addition to updates on patches and resolution.
- Third-party disclosures. These are used when the person or team reporting vulnerabilities, typically security researchers, are not the owners of the systems themselves.
- Vendor disclosures. These are used when security researchers report identified vulnerabilities to application vendors, who then work to correct the issues.
Does my organization need a VDP?
If your enterprise is responsible for the handling, processing, or transmission of sensitive information — whether it be personal health information (PHI), personally identifiable information (PII), trade secrets like a proof of concept, or any proprietary data — then yes, you should have VDP.
This is particularly true for any organization that works either directly or indirectly with the U.S. government. The VDP should include a method for reporting security research and a way to remediate vulnerabilities.
Currently, the FTC’s specifications and the DOJ’s framework aren’t legally binding. Instead, they are meant as guidance. Organizations can still design and manage their own VDPs, based on what works best for themselves.
That said, the guidelines should not be ignored, since they’re likely to become law soon. They also specify that responsible disclosure is not the same as a bug bounty program, which offers financial incentives for hackers to look for and report security flaws.
It’s important that ethical hackers have a safe harbor for providing reported vulnerabilities without facing legal action, and for organizations to have a follow-up plan to triage and fix issues. Otherwise, they expose themselves to legal liabilities by allowing a flood of bug reports without any time frame or protocols to addressing them.
What must the government do when it discovers a vulnerability?
For the private sector, VDPs are a best practice — something your organization should do, but not (yet) legally required. In contrast, U.S. government agencies have a higher standard.
When U.S. government agencies discover vulnerabilities that exist in their IT environment or that threaten the protection of sensitive data, they must decide whether or not a disclosure of the vulnerability to the general public is a threat to national security.
If not, their duty is to disclose the information in hopes of improving the national interest for cybersecurity best practices.
How do VDPs relate to CMMC and FedRAMP?
Neither CMMC (the cybersecurity requirements for defense contractors) nor FedRAMP (the cybersecurity requirements for technology vendors providing cloud-based services to government agencies) specifically includes VDPs as part of their compliance obligations.
However, having a VDP does provide an extra layer of security, and can then push a vendor to a higher level of maturity as determined by both CMMC and FedRAMP guidelines.
Creating a VDP in the context of any compliance standards you’re obligated to adhere to can be a challenge. With potentially hundreds of pages of compliance documentation to go through, assigning resources to implement risk assessments, and going through the process of risk mitigation and achieving compliance can be an enormous undertaking.
ZenGRC can help assure that your organization meets all requirements for CMMC, FedRAMP, HIPAA, COSO, or any other compliance framework you’re obligated to achieve certification or accreditation with.
Our templates make baseline self-assessments a breeze; while our easy-to-use, the centralized dashboard provides an integrated view of your compliance stance across all applicable frameworks, showing you where the gaps are in your cybersecurity programs and how to fill them.
ZenGRC stores and organizes all related documentation, so it’s readily available in the event of an audit by compliance assessors.
Worry-free compliance and risk management is the Zen way! Learn how ZenGRC can help you achieve a compliant VDP by booking a demo today.