Skip to main content

A Maturity Model for Vulnerability Coordination

  • September 22nd , 2015

Take the Vulnerability Coordination Maturity Model survey today!

By Katie Moussouris

The question for all organizations isn't if, but when someone will discover a vulnerability in your software or systems. Do you have a graceful way to deal with that vulnerability report? What you do about it next can determine how it affects your organization, your customers, and your ability to defend against threats.

It's time for something new to talk about in the well-trodden vulnerability disclosure discussion: a Vulnerability Coordination Maturity Model, also described here on Youtube. This is a new and practical open guide to help organizations measure, benchmark, and improve their vulnerability handling capabilities when someone reports a security bug to them.

A Maturity Model for Vulnerability Coordination

Inspired by other familiar maturity models in secure software development, threat response, and others, we recognized a gap in the practical guidance in vulnerability coordination for not just software companies, but all organizations. We have released this model to help both established organizations as well as new vendors currently increasing their dependence on internet-connected software.

The Vulnerability Coordination Maturity Model will help organizations:

  • Assess their preparedness to respond to vulnerability reports and act on them.
  • Build a list of activities to enhance their abilities to respond to security bug reports in their own software or services.
  • Create a roadmap towards improving their vulnerability coordination and security over time.

Well over a decade ago, before the ISO standard for vulnerability disclosure (29147) and vulnerability handling processes (30111) were even a glimmer in the eye of the original editor, security researchers, hackers, and companies were wrestling with one of the oldest and most contentious debates in software: what is the best way to disclose a security vulnerability? I've written many thoughts over the years, and I've authored vulnerability disclosure policies for the largest software companies in the world. Yet we stand once again at the brink of another attempt to establish common best practices among security researchers, who find vulnerabilities, and those who are responsible for fixing them. My hope for this multistakeholder event is that we can together support strategies for coordinating vulnerabilities between hackers and vendors, as well as between vendors themselves, as was the case with Heartbleed.

Enter the Vulnerability Coordination Maturity Model, that takes best practices, cites the existing ISO standards, and describes how they can be augmented with even better capabilities. The maturity model shows how to take a beginner's level of vulnerability coordination and turn it into powerful ways to improve defense by leaps, possibly even disrupting adversaries with the knowledge gained.

Below are the five capability areas at the heart of the Vulnerability Coordination Maturity Model.

We are excited to bring you this Maturity Model as a tool to benchmark your current capabilities and a resource to return to in order to measure your organizational improvements over time. It is a practical and simple guide to get you started, no matter if you have simple capabilities or if you are highly sophisticated and are looking to tune your investment in vulnerability coordination to achieve the best outcomes.

There's a saying we in security are fond of: never waste a good crisis. That means each vulnerability reported to you isn't necessarily a crisis, but it's something to remind you that code is written by humans, who are flawed, yet we are also great at improving ourselves when motivated and given guidance to do so.

Take the Self-Assessment Survey

Take the Vulnerability Coordination Maturity Model survey and see how your organization stacks up, and where you need to invest in securing your products, learning from your mistakes, or download the slides that describe the model here. We can't wait to hear from you with questions, suggestions, and success stories of learning from your vulnerabilities to build safer software sooner.

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…