Coordinated Vulnerability Disclosure

Enable users and reporters to report vulnerabilities via a Coordinated Vulnerability Disclosure Policy and strengthen your IT security

Learn more

Strengthen your IT security with Coordinated Vulnerability Disclosure

The number of devices connected to the internet grows. This increases the attack surfaces for cyber criminals. On top of that: the speed at which software and updates are released is increasing.

Proactive steps are no longer optional

Get started with your Coordinated Vulnerability Disclosure

Request our whitepaper
Want to know everything about Zerocopter?

What is Coordinated Vulnerability Disclosure?

Coordinated Vulnerability Disclosure is a form of disclosure: the transfer of information from an external source to a company or organisation, in this case regarding the security of IT systems. There are four ways a researcher or criminal can handle the information of a vulnerability:

Apply

Non-disclosure

the researcher or criminal keeps the information to themselves.
Often because they either fear legal repercussions when sending in or to use the vulnerability as leverage.

Apply

Limited Disclosure

the researcher or criminal shares only a limited amount of information to a limited number of parties. This puts pressure on companies to quickly fix the vulnerability to prevent exploitation.

Apply

Full Disclosure

the researcher or criminal releases the vulnerability publicly. This puts companies at risk if they cannot resolve the issue fast enough.

Apply

Coordinated Vulnerability Disclosure

the researcher directly contacts the company with a report that isn’t shared publicly until the vulnerability is fixed.

With Coordinated Vulnerability Disclosure, the vulnerability is only disclosed when it is fixed or after a certain period of time. Organisations can then fix the vulnerability or assess associated business risks that may come from it.

What is a Coordinated Vulnerability Disclosure Policy?

What is a Coordinated Vulnerability
Disclosure Policy?

A Coordinated Vulnerability Disclosure Policy is a clear guideline on how a researcher (or ethical hacker) can report a vulnerability and a policy on how an organisation will handle that report (for instance how to communicate with the researcher or whether to let them know you have fixed the vulnerability). This policy also reduces internal chaos by preventing being overwhelmed with reports. The ability to take in reports and promptly respond to them while staying organised is essential for a Coordinated Vulnerability Disclosure Policy.

Read up on Coordinated Vulnerability Disclosures

Request our whitepaper
Want to know everything about Zerocopter?

What is a Coordinated Vulnerability
Disclosure Policy?

Nowadays, software is released almost continuously. This is great for business and boosts company responsiveness, but can leave the software not thoroughly tested. Coordinated Vulnerability Disclosure provides a solution for this by providing constant and dynamic feedback on the security of your systems, regardless of how fast your releases are.

A Coordinated Vulnerability Disclosure Policy provides the best protection for companies against exploitation or data leakages while also protecting researchers with helpful intentions against legal repercussions.

What to include in a Coordinated Vulnerability Disclosure Policy?

What to include in a Coordinated Vulnerability Disclosure Policy?

A Coordinated Vulnerability Disclosure Policy is a guideline on how to report vulnerabilities and how you’ll handle them.

In a Coordinated Vulnerability Disclosure Policy, you’ll
• describe what you would like the researcher to do when finding a vulnerability
• describe what you promise to do with a report

You can download an example of a Coordinated Vulnerability Disclosure Policy text for your website and digital touchpoints.

How do I manage reports coming in via a Coordinated Vulnerability Disclosure Policy?

Handling many reports - about many vulnerabilities - can become overwhelming. A dedicated platform allows researchers to report vulnerabilities without you needing to set up additional security infrastructure.

Zerocopter is the leading enterprise application security platform, empowered by the world’s best ethical hackers. We’ll provide you with a dedicated platform and a Triage Team of security experts. Reports via the Coordinated Vulnerability Disclosure Policy workflow are reviewed by our Triage Team. This means you are only confronted with valid reports about real vulnerabilities. You can choose to pay rewards to individuals who report a valid vulnerability via the Coordinated Vulnerability Disclosure Policy.

How do I manage reports coming in via a Coordinated Vulnerability Disclosure Policy?
Whitepaper CVD

Download whitepaper