The UK’s National Cyber Security Centre (NCSC) has released a new Vulnerability Reporting Toolkit, designed to help organizations manage vulnerability disclosure in a streamlined, process-driven manner.
The government-backed GCHQ unit explained in a blog post yesterday that the new toolkit was built with knowledge distilled from two years of running the NCSC’s Vulnerability Co-ordination Pilot and Vulnerability Reporting Service.
It was built according to the three best practices of vulnerability disclosure: good communication, a clear policy and ease-of-use. On the latter, the NCSC advocated the proposed IETF standard security.txt, also supported by the US Department of Homeland Security and NZ CERT, as an easy way for individuals to find all the information they need.
“The toolkit is not an all-encompassing answer to vulnerability disclosure, but it is a great start. If you don't have a vulnerability disclosure process, then the toolkit can help you create one. We believe it’s worth establishing a process in advance (that is, before you need to create a process when responding to a vulnerability disclosure),” the NCSC’s “Ollie N” said.
“The toolkit is deliberately easy to implement, so you can adopt it at short notice. Even if you already have a process in place, please take a look at the toolkit as it may help you to improve on what you’ve already set up.”
As the first edition of the toolkit, the current iteration is designed to cover just the basics. However, over time it will be adapted to include details on how to build an internal process that can triage and fully manage a vulnerability disclosure.
The NCSC’s advice comes ahead of new IoT laws being drawn up by the government which will compel all manufacturers of consumer smart gadgets to run vulnerability disclosure programs.
Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) issued new requirements for all government agencies to develop and publish vulnerability disclosure policies (VDPs).