Design a Coordinated Vulnerability Disclosure Program

Ensure your vulnerability disclosure program reflects business, customer, and regulatory obligations.
 Join Now

If you're already a member, click here to log in.

Major Business Pain Points

  • Businesses prioritize speed to market over secure coding and testing practices in the development lifecycle. As a result, vulnerabilities exist naturally in software.
  • To improve overall system security, organizations are leveraging external security researchers to identify and remedy vulnerabilities, to mitigate the overall security risk.
  • A primary challenge to developing a coordinated vulnerability disclosure (CVD) program is designing repeatable procedures and scoping the program to the organization’s technical capacity.
Design a Coordinated Vulnerability Disclosure Program-Pain Points

Recommendations

Key Points

  • Having a coordinated vulnerability disclosure program is likely to be tomorrow’s law. With pressures from federal government agencies and recommendations from best-practice frameworks, it is likely that a CVD will be mandated in the future to encourage organizations to be equipped and prepared to respond to externally disclosed vulnerabilities.
  • CVD programs such as bug bounty and vulnerability disclosure programs (VDPs) may reward differently, but they have the same underlying goals. As a result, you don't need dramatically different process documentation.

Approach

Design a Coordinated Vulnerability Disclosure Program-Recommendations
  • Design a coordinated vulnerability disclosure program that reflects business, customer, and regulatory obligations.
  • Develop a program that aligns your resources with the scale of the coordinated vulnerability disclosure program.
  • Follow The vulnerability disclosure methodology by leveraging the policy, procedure, and workflow templates to get you started.
 Subscribe to Premium

Methodology and Tools

Executive Brief

Read the concise Executive Brief to find out why you should design a coordinated vulnerability disclosure program and review the methodology.

  • Design a Coordinated Vulnerability Disclosure Program – Executive Brief
  • Design a Coordinated Vulnerability Disclosure Program – Phases 1-2

1. Assess goals

Define the business, customer, and compliance alignment for the coordinated vulnerability disclosure program.

  • Design a Coordinated Vulnerability Disclosure Program – Phase 1: Assess Goals
  • Information Security Requirements Gathering Tool

2. Formalize the program

Equip your organization for coordinated vulnerability disclosure with formal documentation of policies and processes.

  • Design a Coordinated Vulnerability Disclosure Program – Phase 2: Formalize the Program
  • Coordinated Vulnerability Disclosure Policy
  • Coordinated Vulnerability Disclosure Plan
  • Coordinated Vulnerability Disclosure Workflow (Visio)
  • Coordinated Vulnerability Disclosure Workflow (PDF)

All resources on this page are provided to Cyber Leadership Hub members under license from third parties including Info-Tech Research Group Inc, a global leader in providing IT research and advice.