Effectively organizing a Coordinated Vulnerability Disclosure

By: Caroline Willemse and André Biesheuvel

Organize effectively and cost efficiently

In the previous blog, “What is the need for applying a Coordinated Vulnerability Disclosure (CVD)?”, we discussed the need for a company to organize a CVD. In this blog we focus on the effective and cost-efficient organization of a CVD. The organization’s goal is to facilitate an effective and efficient vulnerability disclosure process that can reduce the risk of security flaws being exploited by cybercriminals.

ENISA is the driving force behind organizing CVD in Europe, see: Coordinated Vulnerability Disclosure policies in the EU. In a European context, the NCSC is responsible for the Dutch efforts, see the Coordinated Vulnerability Disclosure Disclosure.

MYOBI has – as ENISA advises in its Good Practice Guide – operationalized the CVD guideline for companies and users of the trust network.

CVD in outline

The CVD service makes the threshold for an unknown researcher as low as possible to report a documented vulnerability. We could compare a reported vulnerability with a found “needle in a haystack”.

The essence of CVD services is that MYOBI, in the role of Trusted Third Party, receives information about a vulnerability in the security of a company’s infrastructure and/or applications from an unknown researcher.

When receiving the information about the vulnerability, MYOBI takes the following steps:

  • Authenticating the identity of the unknown researcher;
  • The unknown researcher records the information about the vulnerability in a secure environment of MYOBI; and
  • The unknown researcher invites the business process coordinator (responsible user) of the company in question – if desired under a pseudonym – in a secure business process.

The business process coordinator (responsible user) can involve us (Duthler Associates) in the process and request an analysis of the documented vulnerability. If the vulnerability threatens business continuity, the business process coordinator of the company concludes a CVD agreement with the unknown researcher.

The topics in the agreement relate to:

  • Advising on taking appropriate control security measures and preventing calamities;
  • Communication during and after the removal of the vulnerability;
  • Agreements on limiting liability; and
  • Recognition for finding, documenting and identifying the vulnerability.

Chain liability

Companies use IT suppliers for their infrastructure and applications. Vulnerabilities in the control and security measures can also arise in the products and services of the IT suppliers. A supplier of IT services and products in turn also uses suppliers. There is a chain and therefore also vulnerabilities in the chain.

It is important that when purchasing these products and services, the company agrees with its suppliers about CVD’s goals and processes. Appropriate agreements are also needed about the decisive removal of identified vulnerabilities. The Contract Board facilitates companies with appropriate scenarios and contracts CVD the contract portfolio.

MYOBI, the trusted third party

MYOBI, in its role of trusted party, gives the company the comfort that the threshold for reporting vulnerabilities is low and the liability and cost risks are manageable. In compiling the Vulnerability Disclosure Statement (as ENISA/NCSC mean), the Contract Board has based it on the TTP policy. We make the Vulnerability Disclosure Statement company-specific and add it to the library.

The following topics are discussed:

  • The context in which the Vulnerability Disclosure takes place;
  • The roles of parties (tasks, powers and responsibilities);
  • The mechanism of sharing the information about the vulnerability;
  • Finishing the vulnerability;
  • Meeting the expectations of the unknown investigator/reporter;
  • Communicating about vulnerabilities; and
  • Resolving any disputes through mediation.

In the company-specific learning environment of the company, MYOBI provides an awareness and training program in collaboration with us.

Access to security incident knowledge and experience

It is not easy to find professionals who can assess the security vulnerabilities and propose appropriate practical management and security measures. If internal knowledge is lacking, the company can make an agreement with professionals about the timely delivery of capacity.

From threat to opportunity

For years, companies have been hesitant to regulate vulnerability disclosure because they feared inviting hackers to attack their systems. This fear is now pretty much gone. In fact, based on the idea “rather to be hacked in a controlled manner than by a criminal hacker”, a company can actively invite hackers to detect and report vulnerabilities in their system.

The remedy for the unknown investigator may be:

  • No criminal charges and civil proceedings;
  • A company publication describing the case. With this, the researcher receives recognition for his or her work to find and document vulnerabilities; and or
  • Compensation in the form of financial compensation and/or an appointment to permanently hack the business systems.

Organizing CVD effectively is a powerful control and security measure that fits within a cyber information security strategy.

The value proposition for a company

An effective CVD organization provides the company with a value proposition. The value proposition turns out differently for every business organization. We outline the costs and revenues.

Cost:

  • Register on the MYOBI Trust Network. View the license costs here;
  • Using the smart contracting application;
  • Compiling contract library with contract set and CVD scripts;
  • Recognition of the unknown researcher; the ethical hacker;
  • If desired, have the CVD process managed on demand; and
  • Make use of a cybersecurity expert on demand to assess the vulnerabilities presented.

Yields:

  • Establish the strong control and security measure CVD;
  • Strengthen reputation management by making agreements with suppliers of IT services and products and ethical hackers about the process of Vulnerability Disclosure;
  • Preventing liability and cost risks; and
  • Controlling “the needle in a haystack” costs less than “finding a needle in a haystack”.

What can we do for you?

MYOBI Trust Network fulfills the role of trusted party. The Contract Board, in which we participate, has developed a contract portfolio CVD that can be made company-specific by us.

After following the CVD awareness and training program, a company can implement and manage the CVD control measure. If the capacity is lacking, a professional from Duthler Associates can carry out the implementation – in collaboration with employees – on demand.

Submit your question to one of our professionals

The effectiveness of organizing Coordinated Vulnerability Disclosure requires a decisive approach. If you have any questions for your specific organization, please contact Caroline Willemse. Also view our page of special about CVD services.