There has been a lot happening with vulnerability co-ordination and I wanted to update you with the NCSC thinking and approach. This includes what we've learnt so far, and some more background to what we have been doing since our last blog.
A vulnerability disclosure is not an incident
Over the past two years we have been working on the NCSC Vulnerability Co-ordination Pilot. Through this pilot we have learnt a lot about how to handle vulnerabilities within an organisation, and how to work together with the researcher community.
One of the key learning points was to understand that a vulnerability disclosure is not in itself an incident. However, when a vulnerability is used in an attack, it is an incident. This means that if an unpatched vulnerability gets publicised, it could become an incident. Therefore, having a mature and co-ordinated vulnerability disclosure process helps decrease the risk of an incident occurring.
The aim of the pilot is to identify the best way to take an organisation through the process of establishing a vulnerability disclosure process. The NCSC is working with HackerOne as the platform provider and NCC Group as the assessment partner. We have also been working closely with LutaSecurity to ensure we are following industry best practice.
Vulnerability reporting service now live
In addition, we are really excited to have recently launched our vulnerability reporting service, which acknowledges the crucial role security researchers play in helping to secure UK government web services. The quickest way to remediate a security vulnerability is to report it to the system owner. However we appreciate that it can be hard to find the right contact, so researchers can now report the vulnerability to us. Given the recent GCHQ publication, it’s also important to highlight that anything reported to us is exempt from the equities process and will be disclosed.
For me, our vulnerability reporting service is a very important step as it represents our commitment to vulnerability disclosure co-ordination. We are continually looking to improve it, and as part of this we plan to be transparent around our learning. This reporting service operates hand-in-hand with the co-ordination pilot to start improving vulnerability disclosure across UK government. We are also keen to show our appreciation by issuing HackerOne reputation points to those that disclose.
We are continuing to work with the security researcher community and UK government departments to refine the vulnerability reporting service. Over the next year or so, we'll be providing more information regarding the steps required to create an organisation-wide vulnerability disclosure process. This will include providing guidance for both the private and public sectors. I will also keep you updated with our learning over the coming months, and I hope to be able to talk through our approach at CyberUK 2019.
In the meantime, please drop any feedback or comments below.
NCSC Vulnerability Disclosure Lead