What is a Coordinated Vulnerability Disclosure program?

Welcome to our blog series about Coordinated Vulnerability Disclosure programs. This first blog explains what it is and why you should run a Coordinated Vulnerability Disclosure program to keep your IT systems safe and sound. This blog also leads to our free whitepaper on the subject, so let’s get started.

What is a Coordinated Vulnerability Disclosure program?

Before we explain what a Coordinated Vulnerability Disclosure program is, you should know what ‘disclosure’ means in the world of cybersecurity: 

Disclosure is the transfer of information from an external source to a company or organisation, in this case regarding the security of IT systems. When a researcher or criminal discovers a vulnerability, there are four ways they can handle the information:

1. Non-disclosure
   A method in which the external researcher or criminal that discovered the vulnerability keeps the information to themselves. This can be for multiple reasons, whether it be because they plan to use the information as leverage or because they fear legal repercussions when sending in a report. A company outlining preconditions and agreements can help convince the latter situation to turn in the information responsibly.
   ‍
2. Limited disclosure
   With limited disclosure, the researcher or criminal only releases a small or limited amount of information about the vulnerability to a limited number of parties. Limited disclosure puts pressure on the company to quickly fix the vulnerability because it can put customer or company data at risk of exploitation. Luckily, this form of disclosure is contained to the few parties involved in the information transaction.
   ‍
3. Full disclosure
   Another form of disclosure in which the researcher or criminal releases the vulnerability information publicly. Though this provides the company with direct information about the vulnerability, it also puts them at risk if they cannot resolve the issue fast enough. Criminals can easily access the vulnerability information and exploit it as long as it’s not fixed; bad news for companies.
   ‍
   
4. Responsible disclosure
   With responsible disclosure, the researcher directly contacts the company or multiple companies about a vulnerability that affects their systems. The information isn’t shared publicly until the vulnerability is fixed. This form of disclosure provides the best protection for companies against exploitation or data leakages. Coordinated Vulnerability Disclosure is a form of responsible disclosure that protects both the company involved and the researchers submitting the reports.  

A Coordinated Vulnerability Disclosure program allows companies to indicate that they are open to receiving vulnerability reports from external researchers

Here’s the answer

And now, you may know the answer to the question above. Hurray! A Coordinated Vulnerability Disclosure (CVD) program focuses on contributing to the security of IT systems for companies, organisations, or any group that wants to strengthen themselves by targeting vulnerabilities. This program or policy allows companies to indicate that they are open to receiving vulnerability reports from external researchers who may have stumbled upon a system fault and that they have a set course of action in the event a report is submitted.

Why should I run a Coordinated Vulnerability Disclosure program?

Good question. We’ll answer it in our next blog about CVD, so stay tuned. Can’t wait to learn more about the subject? Then download our Coordinated Vulnerability Disclosure whitepaper now. It’ll give you all the information you need, and it’ll tell you how to start your own Coordinated Vulnerability Disclosure program - and how we can help you with that. 

PS: If you want to talk to one of our experts about a Coordinated Vulnerability Disclosure program, call us on +31 20 261 67 43 or email us at info@zerocopter.com.