The U.K.’s National Cyber Security Center (NCSC) has released a guide to help organizations get started with implementing a vulnerability disclosure process.
The NCSC’s Vulnerability Disclosure Toolkit is intended for organizations of all sizes, but should not be considered an exhaustive guide. It only presents some of the main components of the vulnerability disclosure process.
“It really is in your best interest to encourage vulnerability disclosure. Having a clearly signposted reporting process demonstrates that your organization takes security seriously,” the agency notes.
NCSC encourages companies to implement such a process, to be able to receive reports on security vulnerabilities that may impact their systems, and address them before they are exploited for malicious purposes.
A well-defined vulnerability disclosure program, NCSC argues, prevents reputational damage that public disclosure may cause, and allows companies not only to establish a way to take action on the identified vulnerabilities, but also to inform the reporting entity that the issue is being managed.
According to the agency, a vulnerability disclosure process should not only provide a channel for reporting discovered vulnerabilities, but should also define how the organization would respond, while being “clear, simple and secure.”
“The international standard for vulnerability disclosure (ISO/IEC 29147:2018) defines the techniques and policies that can be used to receive vulnerability reports and publish remediation information. The NCSC designed this toolkit for organisations that currently don’t have a disclosure process but are looking to create one,” the organization notes.
In the NCSC’s opinion, it is essential for the vulnerability disclosure process to have a dedicated communication channel for reporting vulnerabilities. This would not only ensure that the information ..
Support the originator by clicking the read the rest link below.
