Coordinated disclosure hailed as powerful and effective tool for helping manage cybersecurity risk
Government and private sector organizations should strengthen their ties with security researchers by implementing coordinated vulnerability disclosure (CVD) programs as a core component of their risk management strategies, a US standing committee has urged.
In a white paper (PDF) released yesterday, the House Energy and Commerce Committee said the continued growth of connected technologies has resulted in CVD programs becoming a “necessity” for organizations of all sizes.
“The committee’s work has shown that the complexity of modern information systems and networks makes coordinated disclosure an essential, rather than optional, part of an organization’s overall cybersecurity strategy,” the report states.
CVD programs involve collaboration between researchers and an affected organization, in which details of a vulnerability are disclosed privately to allow the organization time to confirm the issue, as well as to develop and deploy fixes.
A bug bounty can be classed as a specific type of CVD program.
While the report highlights the key challenges presented by CVD initiatives (including an uncertain legal environment and the risk of negative public backlash against companies with such programs), the committee said organizations in both the public and private sectors should move away from the “woefully outdated” model of handling cybersecurity threats internally.
In its effort to help incentivize organizations to adopt vulnerability disclosure programs, the committee said Congress should explore ways to clarify the differences between ‘hacking’ and CVD practices.
“In doing so, Congress could provide much needed legal certainty to CVD programs and participants, and thus encourage more organizations and third-parties to leverage CVD and its attendant benefits,” reads the white paper.
Additionally, the committee recommended that lawmakers should explore ways to encourage federal agencies and private sector stakeholders to address and minimize the negative public responses to CVDs.
“As the number and diversity of organizations that have adopted CVD programs demonstrates, these programs are powerful, effective tools for helping manage cybersecurity risk,” the report states.