What is the need for applying a Coordinated Vulnerability Disclosure (CVD)?

By: Caroline Willemse and André Biesheuvel

Is your organization resilient to cyber attacks or other threats?

Protecting your IT infrastructure and its applications, including business and personal data, is often a daunting task. The management and security measures taken in the business processes with which the business activities are organized must be effective to prevent incidents and data leaks. Practice shows that vulnerabilities exist in the security organization that undermine the protection of systems and data.

The security organization and unknown researchers discover vulnerabilities in the IT infrastructure and applications. The reality is that unknown researchers can be malicious hackers or a wronged employee who can do a lot of damage with just one vulnerability. However, there are also researchers who want to get in touch with your company to inform the company in a constructive manner about the vulnerabilities found. This requires that such an ethical hacker can present the documented vulnerability to the security organization of the company in a decisive and effective way.

It is up to you to make your business organization resilient against cyber attacks, vulnerabilities or other threats. In most cases, the legislator leaves that entirely up to you. You may make your own risk assessment and link it to the measures you consider necessary. However, the legislator increasingly considers information security, i.e. having data hygiene in order, a legal obligation. In new legislation, European and national legislators set quality and security requirements for systems and the level of security that you should aim for with measures. The legislator also asks you to formulate a cyber information security strategy.

Current and new information security laws and regulations

If you are a vital provider, a provider of essential services, trust services or a digital service provider, processing personal data or supplying products and services to consumers, you will be confronted more and more with cybersecurity-related legislation in the coming years. While some of this new legislation still needs to be completed, you can prepare for it now.

An element that can be found in most cybersecurity legislation is the obligation to report cybersecurity incidents. The vulnerability has then become an incident. This reporting obligation can differ per sector and can concern different organizations to which the report must be made. Think of the Dutch Data Protection Authority (DPA), the Netherlands Authority for Consumers & Markets (ACM), the NCSC or the sectoral supervisors. In some situations, you report to two or even three supervisors. Failure to report can lead to enforcement and large fines.

An incomplete inventory of legislation

Information security is part of the European General Data Protection Regulation (GDPR). The legislator asks every organization that processes personal data to take appropriate and effective control and security measures “by design” in the business processes and to establish their operation.

For designated sectors or organizations, the legislator makes the commercial safeguarding of cyber security subject to obligations in, among other things, the Telecommunications Act, the Network and Information Systems Security Act, which is based on the European Network and Information Security Directive (NIB Directive) and the EU Regulation on electronic trust services (eIDAS Regulation). The general interest of a society benefits from a safe internet.

In the relationship between business and consumer (B:C), we know the conformity obligations for delivered digital products and services. The trader and seller ensure the consumer that products and services are resistant to cyber criminals.

The company wishes to protect the trade secrets

The continuity of business operations depends on the development, management and application of trade secrets under supervision. Recognizing the importance of managing trade secrets, the European legislator has adopted the Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. This directive has been implemented by the national legislator in the Trade Secrets Protection Act. With the Wbb, a company has a powerful instrument to protect its trade secrets, but it must demonstrably organize and comply with this. For example, security measures taken, which demonstrably work, are necessary in order to be able to invoke the legal protection of trade secrets.

Are you aware of the security vulnerabilities?

Identifying, documenting, analyzing and removing security vulnerabilities are essential for organizing compliance with legal and contractual obligations in the field of processing business and personal data and trade secrets.

Coordinated Vulnerability Disclosure

The internal and external security organization and unknown researchers identify vulnerabilities in management and security measures to protect the IT infrastructure and applications containing data.

To encourage unknown researchers to report vulnerabilities and to manage the vulnerability disclosure process, a company uses Coordinated Vulnerability Disclosure (CVD). This makes the CVD control measure an essential part of the information security strategy and policy.

A CVD creates a system for organizations and researchers to collaborate, find vulnerabilities before they can be exploited, protect critical data from exploitation, and stay one step ahead of cybercriminals.

The investigators must contact the organization as indicated in the CVD Statement on the company’s website and provide sufficient details to verify and reproduce the vulnerability. During the company’s handling of the report, the researchers will keep the specific technical details of the vulnerabilities confidential and secure.

Implementing an effective and efficient vulnerability disclosure process can reduce the risk of security flaws being exploited by cybercriminals.

ENISA is the driving force behind organizing CVD in Europe, see Coordinated Vulnerability Disclosure policies in the EU. In a European context, the NCSC is responsible for the Dutch efforts, see the Coordinated Vulnerability Disclosure Disclosure.

MYOBI has – as ENISA advises in its Good Practice Guide – operationalized the CVD guideline for companies and users of the trust network (see: “Effectively organizing a Coordinated Vulnerability Disclosure”.

Conclusion and follow-up

In this blog we have outlined the need for CVD for a business organization. In the next blog we will discuss the practical and cost-efficient organization of a CVD.

Submit your question to one of our professionals

The effectiveness of organizing Coordinated Vulnerability Disclosure requires a decisive approach. If you have any questions for your specific organization, please contact Caroline Willemse. Also view our page of special about CVD services.