The number of devices connected to the internet grows. This increases the attack surfaces for cyber criminals. On top of that: the speed at which software and updates are released is increasing.
Coordinated Vulnerability Disclosure is a form of disclosure: the transfer of information from an external source to a company or organisation, in this case regarding the security of IT systems. There are four ways a researcher or criminal can handle the information of a vulnerability:
the researcher or criminal keeps the information to themselves.
Often because they either fear legal repercussions when sending in or to use the vulnerability as leverage.
the researcher or criminal shares only a limited amount of information to a limited number of parties. This puts pressure on companies to quickly fix the vulnerability to prevent exploitation.
the researcher or criminal releases the vulnerability publicly. This puts companies at risk if they cannot resolve the issue fast enough.
the researcher directly contacts the company with a report that isn’t shared publicly until the vulnerability is fixed.
With Coordinated Vulnerability Disclosure, the vulnerability is only disclosed when it is fixed or after a certain period of time. Organisations can then fix the vulnerability or assess associated business risks that may come from it.
A Coordinated Vulnerability Disclosure Policy is a clear guideline on how a researcher (or ethical hacker) can report a vulnerability and a policy on how an organisation will handle that report (for instance how to communicate with the researcher or whether to let them know you have fixed the vulnerability). This policy also reduces internal chaos by preventing being overwhelmed with reports. The ability to take in reports and promptly respond to them while staying organised is essential for a Coordinated Vulnerability Disclosure Policy.
Nowadays, software is released almost continuously. This is great for business and boosts company responsiveness, but can leave the software not thoroughly tested. Coordinated Vulnerability Disclosure provides a solution for this by providing constant and dynamic feedback on the security of your systems, regardless of how fast your releases are.
A Coordinated Vulnerability Disclosure Policy provides the best protection for companies against exploitation or data leakages while also protecting researchers with helpful intentions against legal repercussions.
A Coordinated Vulnerability Disclosure Policy is a guideline on how to report vulnerabilities and how you’ll handle them.
In a Coordinated Vulnerability Disclosure Policy, you’ll
• describe what you would like the researcher to do when finding a vulnerability
• describe what you promise to do with a report
You can download an example of a Coordinated Vulnerability Disclosure Policy text for your website and digital touchpoints.
Handling many reports - about many vulnerabilities - can become overwhelming. A dedicated platform allows researchers to report vulnerabilities without you needing to set up additional security infrastructure.
Zerocopter is the leading enterprise application security platform, empowered by the world’s best ethical hackers. We’ll provide you with a dedicated platform and a Triage Team of security experts. Reports via the Coordinated Vulnerability Disclosure Policy workflow are reviewed by our Triage Team. This means you are only confronted with valid reports about real vulnerabilities. You can choose to pay rewards to individuals who report a valid vulnerability via the Coordinated Vulnerability Disclosure Policy.