2020 has been an important year for VDP standardization worldwide. Earlier in the year, the U.S. saw the release of the Cybersecurity and Infrastructure Security Agency (CISA)’s Binding Operational Directive 20-01, NIST SP 800-53 Revision 5, and the Internet of Things Cybersecurity Bill, all of which positioned vulnerability disclosure policies (VDPs) as a crucial part of any cybersecurity strategy.
Now, the Australian Cyber Security Centre (ACSC) has released new guidelines recommending VDPs “to assist with the secure development and maintenance of products and services.” These guidelines were published in the Australian Government Information Security Manual.
How does it impact your org? What does it mean for the future of cybersecurity? Here’s what you need to know.
The ACSC manual covers everything from cybersecurity principles and roles to cable patching and media disposal. The section related to VDPs provides a background on the security benefits of working with external researchers. It also offers a guide to building your own VDP process to effectively “receive, verify, resolve and report on security vulnerabilities.”
ACSC, like HackerOne, recommends including the following information in every VDP:
- the purpose of the vulnerability disclosure program
- the types of security research that are allowed
- the types of security research that are not allowed
- how to report potential security vulnerabilities
- the actions that will be taken on receiving notification of potential security vulnerabilities and indicative timeframes for these actions
- any expectations regarding the public disclosure of verified security vulnerabilities
- any recognition finders of verified security vulnerabilities will receive
The Path Forward
The ACSC has joined a legion of governments, agencies, and independent organizations recommending or mandating that businesses implement a VDP. However, many businesses have yet to heed these recommendations. According to our research, hackers often find bugs on organizations’ websites -- but 25% of the time, they have no channel for alerting the organization that the bug exists. Even more worrisome, 82% of the Forbes Global 2000 do not have a known policy for vulnerability disclosure.
Organizations that do not have a VDP are missing out on crucial information about their own assets and systems. The bottom line is that all assets contain vulnerabilities, but only some businesses are taking the steps necessary to fix them.
It’s only a matter of time before every government mandates vulnerability disclosure policies. Fortunately, there is a clear path forward. HackerOne has partnered with organizations in every vertical to create a VDP that’s customized to their business. Rather than simply checking a compliance box, we help you integrate a potentially cumbersome, resource-draining process into your security strategy -- and turn compliance into a strategic differentiator.