Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all. Now we have guidelines on policies, ideas on motivating researchers to report bugs, even presentations on the psychology of vulnerability reporting.
The latest development is a Vulnerability Coordination Capability Maturity Model (CMM) from hackerone, setting out five areas where organisations need to prepare if they want to be confident of receiving and handling vulnerability reports: organisational, engineering, communications, analytics and incentives. Like most CMMs, each of these has a number of different levels – here basic, advanced and expert. Definitions of each can be found in the slides linked from the hackerone post, or there’s an on-line self-assessment. For full details of the required processes, the CMM references various ISO standards in the area.
Expert level – when an organisation will be able to extract information from trends in reporting, identify issues in development processes, etc. – seems mainly aimed at software vendors, since it presumes a steady stream of vulnerability reports. However basic level seems well worth considering even for organisations that only use, rather than produce, software. If someone finds a vulnerability in one of your on-line services, you want the problem to be reported and fixed. Even if you only pass the report on to the software vendor, a basic level of vulnerability coordination maturity will help you to assess the risks to your organisation, consider appropriate mitigation measures, and highlight the importance of a fix to your supplier.