Beltug

Coordinated Vulnerability Disclosure Policy: part of your proactive security approach. Takeaways from the Beltug Debate Room: 21 January 2021


Date:21/01/2021


Security has never been higher in our members' priorities. Especially as, with the sudden and massive increase in homeworking, vulnerabilities are piling up and potential incidents are right around the corner.

 

One tool to identify weaknesses is a Coordinated Vulnerability Disclosure Policy (CVDP). This is a set of rules that allows ‘ethical hackers’ to investigate your system for flaws and then inform you about them.

 

Beltug cooperates with the Centre for Cybersecurity Belgium (CCB), to share information that can support our members’ security needs and goals. The CCB worked with intigriti to publish a ‘Guide to a Coordinated Vulnerability Disclosure Policy’ that covers both best practices and legal aspects. It includes reasons to adopt a CVDP, what should be included, the steps for creating your policy, data privacy, fraud and infractions, and more.

 

But there are plenty of questions and issues surrounding ethical hacking and bug bounties. So at this event, we gave our members the chance to bring up their questions and concerns. After an introduction by intigriti and the CCB, we opened the floor for debate amongst peers, about the opportunities or challenges they see with CVDPs.

 

Presentations from the speakers and a recording of the event are available to our members (after log-in).

 

 

Coordinated Vulnerability Disclosure Policies, aka ‘Bug Bounties’

 

Valéry Vander Geeten, Legal officer and DPO at the CCB, believes that vulnerability in IT systems is unavoidable, yet we still need to know about it, in order to deal with it (proactively) and find a solution. So the Coordinated Vulnerability Disclosure Policy will be continued to be promoted and pushed towards companies.

 

The purpose of the CVDP and of a bug bounty platform is to detect and assess vulnerabilities, but also to advise on solutions. With a CVDP, you set up the boundaries within which the ethical hacker can do his research. The 'bounty', a reward for finding a weakness, is optional in such a policy. The policy gives a hacker authorisation to test the system, with the associated activities falling outside the realm of criminality - as long as the rules and the scope of the policy are respected. When a person goes outside of that scope or rules, they are considered a criminal hacker (slides 8-9).

 

When defining the scope of the policy, make sure that you only include your own systems. To include a system that relies on a 3rd party, you will need the approval of that 3rd party.  Otherwise, the hacker can find himself on criminal ground again.

 

Have the policy include a single point of contact within your company for the hacker/researcher, and make sure it's easy for this person to contact the company. Continuous communication (for follow-up and feedback) is important.

 

And don't forget to inform your users and/or vendors about the vulnerabilities and the respective solutions. Also, all information resulting from the efforts of an ethical hacker, can be shared with the CCB.

 

The benefits of a CVDP are numerous, Valéry emphasised:

  • Potential involvement of a large number of researchers/experts
  • Flexibility of implementation or adaptation
  • No significant increased risk of malicious actions
  • Evidence of compliance with legal obligations or standards regarding security of networks and information systems (GDPR, NIS, e-IDAS, PSD2, certification, contracts, general liability, etc)
  • Preventive rather than reactive approach
  • Ensures confidentiality and proportionality
  • Helps train IT or development teams
  • Controlled budget (only validated discoveries are paid)
  • Support from the coordinator team

 

Have a look at the CCB website for the guides they have published on CVDPs, in French and Dutch (English will be published later).

 

To conclude, Valéry pointed out that international standards also refer to CVDPs, like ISO and Enisa (slides 23 and 24).

 

Making security testing agile

 

After this legal and theoretical perspective, Stijn Jans, CEO at intigriti added the practical angle. To start off, he explained that, by working with a community, you're making your security agile (slide 2). Security testing is the sensible (and necessary) thing to do within your organisation. But it can’t cover only your 'crown jewels' or take place only a few times a year It needs to be constant effort and for the entire environment (as that changes continuously).

 

Using this approach, the community constantly looks over your shoulders to monitor the changes and you only pay for the results. Plus, you can often create a targeted community – based on region, skillset, reputation, etc. Crowd security results in numerous creative eyes, having a look at your architecture and environment.

 

Inti De Ceukelaire, Head of Hackers at intigriti, added that many companies are concerned about 'inviting' malicious hackers by having a CVDP. The reality is that both the people with good intentions and those with dubious intentions are looking at your app or website or environment in any case. Or maybe they simply stumble across a security vulnerability in your system by accident. In this situation, it is frustrating for the ethical hackers, to not find a CVDP (recording minute 28:30).

 

Even if you don't want to work with an ethical hacker platform, it makes sense to have a CVDP, in order to set boundaries and guide people to a single point of contact.

 

So what's in it for the hackers? It’s part of the new way of working, the new way of building a career path, says Inti. Hackers, independent of age or region, receive the same payment for their work: they are equal. They can make money more quickly and independently, and choose the projects close to their passion.

 

Stijn also summed up what a platform of ethical hackers can do for you (slide 8).

 

After these introductions to the concept, the legal perspective and the practical aspects of a Coordinated Vulnerability Disclosure Policy, we opened the debate room, with many questions and valuable insights. (This discussion is available in the recording, starting at minute 38.) Throughout our many activities, Beltug will contribute in creating awareness on this proactive element of security governance.

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login




>>> Back to overview