Coordinated vulnerability disclosure – The government is here to help? – Flash 03 2019

From EuroDIG Wiki
Jump to: navigation, search

19 June 2019 | 14:45-15:50 | EVEREST 1 & 2
Consolidated programme 2019 overview

Session teaser

Coordinated vulnerability disclosure, with a crucial role to governments – will help keep users safe, or not?

Session description

The aim of Coordinated Vulnerability Disclosure (CVD) is to improve the security of IT systems by sharing knowledge about vulnerabilities. Owners of IT systems can then mitigate vulnerabilities before these will be actively abused by third parties.

The Netherlands has an official policy on Coordinated vulnerability disclosure since 2013, there is an official (free!) ISO standard, and many countries are currently adopting the practice, either officially or unofficially. In the session we’ll show how the Dutch governments helps with CVD, how it supports organisations and researchers with this process, while still having a balanced option for legal prosecution.

Coordinated Vulnerability Disclosure pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way. It provides the necessary insight to political leadership, government policy-makers and other stakeholders to implement the most important elements of a CVD policy. It aims to shape a concerted international approach and support establishment of national CVD policies. The emphasis is on software manufacturers, vendors and user organisations as they are key to a successful CVD policy. It addresses the need of reducing software vulnerabilities as a key concept in strengthening cyber security

Format

Interactive session. Since 2013 the NCSC has received and processed hundreds of reports. Many Dutch organisations actively pursue a CVD policy. This illustrates the added value of a CVD-process to improve the digital resilience of the Netherlands. This session is to share experiences and lessons learned in cyber security mechanisms for responsible disclosure or coordinated vulnerability disclosure policies and discussions on the broader topic of ethical hacking.

Further reading

“Coordinated Vulnerability Disclosure: The Guideline” . This is a revision of the guideline Responsible Disclosure from 2013. In this revised guideline there is additional attention for the human factor of successful CVD-policy and for the importance of good mutual communication. With the help of this guideline organisations can create their own CVD-policy. For example how reporters can submit vulnerabilities to the organisation, agreements about messaging, mitigation terms and possible rewards for the reporter.

https://www.ncsc.nl/english/current-topics/news/coordinated-vulnerability-disclosure-guideline-supports-organisations-with-their-cvd-policy.html

https://www.thegfce.com/documents/publications/2017/11/21/coordinated-vulnerability-disclosure

People

Organisor and Speaker:

  • Marit van Piggelen, National Cyber Security Centre, Netherlands (NCSC-NL)