In January 2022, the UK government published a new national cybersecurity policy. One of the anticipated outcomes stated in the policy is for the UK government to establish “comprehensive visibility and understanding of its digital assets enabling it to identify and manage vulnerabilities and the cybersecurity risks they present.” Without which, it correctly says, cybersecurity risks will “go unrecognised and unmanaged.” It also remarks, again correctly, that “vulnerabilities in technology and digital services are introduced or discovered almost constantly.”
What particularly caught our eye is the UK government’s strategy for meeting the challenge, which is to “[provide] a clear path for anyone – whether a public sector employee, a commercial entity or a private individual – to highlight potential vulnerabilities.”
That is to say: a Vulnerability Disclosure Program (VDP). The UK government’s strategy also mandates, as it should, “robust vulnerability management programmes to be in place across all government organisations to ensure identified vulnerabilities are effectively managed across their IT estate.” In other words: there will also be processes for details of vulnerabilities reported to any government organisation to be shared to all government organisations, for appropriate resolution – a vital follow-up step for any organisation with a VDP.
The UK government is, in fact, only one of many now acknowledging the vital – critical, even – role that vulnerability disclosure programs play in assuring the security of IT infrastructure. In the last few years, the 27 EU governments forming the European Council have become increasingly attached to the concept of co-ordinated vulnerability disclosure (CVD), a process by which vulnerability finders work together and share information with the relevant stakeholders such as vendors and ICT infrastructure owners, across Europe.
Progress in Europe
Progress on deployment in Europe remains modest to date: an analysis published in April 2022 observed a wide disparity among member states in respect of their levels of CVD policy achievement. Only four member states had already implemented such a CVD policy, while another four of them were about to do so. The remaining states were split between those already discussing how to move forward and those who had not yet reached that stage.
The European Union Agency for Cybersecurity (ENISA) appears keen to see member states in lockstep sooner rather than later: accompanying the analysis, its recommendations included: amendments to criminal laws and to the [European] Cybercrime Directive to offer legal protection to security researchers involved in vulnerability discovery; and the development of incentives for security researchers to actively participate in CVD research.
In the United States, progress towards widespread adoption of Vulnerability Disclosure Programs by government entities has been swift. Binding Operational Directive 20-01, released in September 2020, mandated that all Federal Civilian Executive Branch (FCEB) agencies must develop and publish a vulnerability disclosure policy. The Cybersecurity and Infrastructure Security Agency (CISA), a federal agency of the US government, selected Bugcrowd and EnDyna to launch its first federal civilian enterprise-wide crowdsourced VDP platform in support of the BOD and, at time of writing, 23 Federal agencies already operate VDPs on the Bugcrowd platform.
Work to do
Despite the recent move by governments to adopt VDPs – notably with the full support of agencies such as the European Union Agency for Cybersecurity (ENISA), the Cybersecurity and Infrastructure Security Agency (CISA) in the USA and the National Cybersecurity Centre (NCSC) in the UK – it seems we still have work to do to communicate fully the advantages and benefits of VDPs to all businesses: Bugcrowd research in 2021 found that, in the USA, only 9 percent of Fortune 500 companies have a VDP in place.
If you’re considering a VDP, you may like to bear in mind research showing that, of organisations with a VDP in place:
- 41 percent say VDPs are now mandated in their industry
- 55 percent say it provides security value
- 32 percent say it contributes to improving [their organisation’s] reputational value
- 45 percent say VDPs are a security best practice
- 78 percent are running VDPs as part of a strategic program that includes bug bounty and penetration testing.
