Let’s first define what we’re talking about when we refer to these NIST controls. NIST 800-53 is a popular framework for security programs globally and also acts as the baseline control set for the U.S. Federal Government’s FedRAMP program. In 2020, The National Institute of Standards and Technology (NIST) released its latest revision 5 (rev 5) to the 800-53 standard. This repositioned the standard to emphasize risk-based outcomes of an overall security program versus rating the impact of individual controls. We’re talking about this again now because the FedRAMP Project Management Office (PMO) recently provided guidance around how rev 5 will be incorporated into the FedRAMP audit framework in 2024, so the clock is ticking for organizations to get their plan in place.

In rev 5, NIST introduces a brand new control, RA-5(11), which requires SaaS vendors to “Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components” 

The NIST guidance further recommends that:

“The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.” 

Essentially, organizations must truly embrace the open nature of public vulnerability reporting. Ethical hackers who report vulnerabilities in good faith should be welcomed and organizations must be given a specific time frame in which to properly remediate those vulnerabilities. This latest revision moves us much closer to a true “see something, say something” mindset that is accepting of any vulnerability report from the public. 

What Is a Vulnerability Disclosure Policy?

In essence, the guidance is talking about a “Vulnerability Disclosure Policy,” which typically includes the following elements:

• Promise: Demonstrate a clear, good-faith commitment to customers and other stakeholders potentially impacted by security vulnerabilities;
• Scope: Indicate what properties, products, and vulnerability types are covered;
• Safe Harbor: Assures vulnerability finders that they will not be unduly penalized or prosecuted if they follow the policy;
• Process: Outlines the process that finders should use to report vulnerabilities; and,
• Preferences: A living document that sets expectations for preferences and priorities regarding how reports will be evaluated, including timeline expectations.

To see an example of what a live VDP looks like, you can view HackerOne’s own policy.

With NIST’s new VDP control, organizations need guidance on what makes a strong VDP and how to evaluate those strengths to prove a best-in-class program. During a recent rev5 guidance call with the FedRAMP PMO, we asked, “With RA-5(11) being a net new control across the impact levels, how will that control be assessed?”

The PMO responded by pointing to the White House’s memorandum on this topic posted in 2020 — M-20-32. This document does a good job of outlining some of what we call out above, but not necessarily the specifics around how to evaluate it.

So, here we are back to square one, and you are likely asking, “Yeah — so how do I do that?”

As mentioned above, HackerOne offers VDPs as part of its own broader product offerings and regularly advises customers on industry best practices and what makes a good policy. We also carry our own FedRAMP Authority to Operate (ATO) and have experience with the FedRAMP auditing process. 

In addition to HackerOne’s expertise on the new NIST control, we’ve also collaborated with FedRAMP Manager, Doug Stonier and Nick Rundhaug, FedRAMP Practice Leader with Schellman & Company, a leading provider of attestation and compliance services. They are a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, and a FedRAMP 3PAO.

Both the experts at HackerOne and Schellman & Company think everyone, including auditors, should be asking the following questions:

1. How Easy/Difficult Is the Policy to Find?  

Generally speaking, you should be able to use a search engine to search for “COMPANY_NAME Vulnerability Disclosure” and quickly locate said policy. In addition, a VDP should be easily discoverable via the website’s navigation, whether that be part of a security page, privacy page, or part of the main footer.  

The Schellman Perspective

The key part of the control addressed here is that the reporting channel is "public.” As an assessor, we will be seeking evidence showing a publicly accessible submission mechanism.  This could be as easy as a URL that is publicly available such as through a search engine or public webpage.

2. How Consistently Is the Policy Followed and What Metrics Are Tied to it?

For example, if the policy sets out a timeframe to respond to an initial submission, is the company following it? Are they actioning on submissions, and how quickly? For those looking for additional reading, see HackerOne’s prescribed turnaround and resolution times.

The Schellman Perspective

The RA-5(11) control is short, but along with the supplemental guidance, there are a number of items that will likely be covered in a related CSP (Cloud Service Provider) owned policy.  We will review the policies that the CSP owns that cover items such as applicability, timelines, etc., and ensure the policy covers the VDP including metrics such as timelines.

3. What Assets Are in Scope?

This is a big one. All of the company’s digital assets should be in scope. A greatly limited scope results in fewer vulnerabilities and detracts away from the “see something, say something” mindset. We recognize there may be exceptions to this rule, but these should be well thought-through and few and far between. If this is part of a FedRAMP audit, an auditor should be looking to see whether or not FedRAMP assets are included in scope. If they are out of scope, you should be asking why.

The Schellman Perspective

The entire FedRAMP boundary (components) must be in scope at a minimum. It is likely that more than the FedRAMP boundary will be in scope, which is fine.

4. What Types of Findings Are in Scope?

This is an opportunity for the VDP to offer context around what vulnerability findings are considered most important to the organization and what type of testing is allowed under the policy. Ideally, any type of finding should be in scope, but we recognize that, at times, this may not always be possible. An example of a finding that may be deprioritized is findings related to third-party assets.

The Schellman Perspective

This is another policy check. The policy should include the type of findings that are accepted and tracked. An organization will want to define ratings (possibly based on CVSS 3.0 scoring) and determine what is accepted, such as low-risk findings that are “informational.”

5. Is There a Promise of Safe Harbor for Reasonable Submissions?

Safe Harbor refers to the company’s willingness to absolve (read: not prosecute) any ethical hacker who follows industry standards and submits a discovered vulnerability. In May of 2022, the U.S. Department of Justice put out a revision stating that those who submit “good-faith security research should not be charged.”

A lack of a Safe Harbor provision essentially invalidates any VDP since nobody will want to submit vulnerabilities for fear of prosecution. Safe Harbour also provides the company legal protections around the allowance of ethical attacks.

As the leading expert in vulnerability disclosure, HackerOne has spent extensive time researching and consulting on this topic so that you do not have to. The HackerOne platform defines the Gold Standard Safe Harbor, which provides all parties the best protections afforded.

The Schellman Perspective

The NIST supplemental guidance addresses the need for establishing related timelines for submission and disclosure. These items are likely addressed in the CSP policy covering the VDP.

6. Is the Preferred Method of Contact Easy to Follow?

Nobody wants to call a 1-800 number, submit their birth certificate, and sign a 90-page contract before being able to submit a vulnerability. The recommended methods of contact for a VDP are a group email address, a submission form on the website, or a submission form on a platform. You should design the form for this use case and include few requirements or legalese that would put off a possible report.

The Schellman Perspective

While RA-5(11) does not have a specific requirement for the ease of submission (besides “public reporting channel”), the organization will want to consider this, and the resulting submission channel will be used as evidence by the 3PAO during a FedRAMP assessment.

Stay On Top of the NIST VDP Control

This conversation will continue to evolve over time as Federal Program Management Office and industry leaders continue to update the guidance. HackerOne will monitor the situation and update our own insights as the situation evolves. We encourage you to bookmark this page to keep up with the latest developments. You can also contact us with any questions. We’d love to sit down with you to understand your needs and how we can help.