The U.K.’s National Cyber Security Centre (NCSC) released a new “Vulnerability Reporting Toolkit,” which is intended to help organizations manage their vulnerability disclosure processes in a simplified manner. The Toolkit is helpful for all types of organizations that are planning to implement a vulnerability disclosure process in their system. It provides a comprehensive guide to develop a disclosure program that was built based on three essential components, which include Communication, Policy, and Security.txt.
“Security vulnerabilities are discovered all the time and people want to be able to report them directly to the organization responsible. The NCSC’s Vulnerability Disclosure Toolkit contains the essential components you need to set up your own vulnerability disclosure process,” NCSC said in a statement.
Importance of Vulnerability Reporting
Vulnerability reports from bug hunters provide critical information about existing vulnerabilities in the systems that can be used to fix the issues and improve the security posture. “Having a clearly signposted reporting process demonstrates that your organization takes security seriously. By providing a clear process, organizations can receive the information directly so the vulnerability can be addressed, and the risk of compromise reduced. This process also reduces the reputational damage of public disclosure by providing a way to report, and a defined policy of how the organization will respond,” NCSC added.
How to Respond to Vulnerability Reports
The NCSC recommended certain steps to effectively respond to a vulnerability report, these include:
- Do not ignore the report. Respond promptly to the finder (bug hunter) and thank them. Feedback encourages engagement and they will be more inclined to help you again in the future.
- Pass the report to someone in your organization who is responsible for the affected product or service. If it is managed by a third-party, discuss the report with them.
- Avoid forcing the finder to sign documents such as non-disclosure agreement (NDA) as the individual is simply looking to ensure the vulnerability is fixed.
- If you need more information to confirm and fix the issue, you should politely request that additional information from the finder.
- Once you have decided on a course of action, let the finder know that the issue is being managed. You do not need to provide lots of technical information or commit to timescales.
- If the issue takes time to fix, you should send periodic updates back to the finder.
- Once the issue is fixed, let the finder know. They might be able to retest the issue to confirm the fix.
- Consider publicly acknowledging and thanking the finder as this creates a sense of trust and transparency.
“The toolkit is not an all-encompassing answer to vulnerability disclosure. If you do not have a vulnerability disclosure process, then the toolkit can help you create one. We believe it is worth establishing a process in advance. The toolkit is deliberately easy to implement, so you can adopt it at short notice. Even if you already have a process in place, take a look at the toolkit as it may help you to improve on what you have already set up,” NCSC concluded.
To help prevent growing cyberattacks, vulnerability reporting will be embedded into the U.K. government’s legislative framework, which will require makers of smart devices to provide a public point of contact as part of a vulnerability disclosure policy.