Chris Vickery, a security researcher, was recently sued by a digital marketing firm (and alleged spammers) for finding 1.4 billion email accounts that were left unprotected by the company, according to The Next Web. When he was disclosing this security loophole, Chris only meant to help the company beef up their security. This is not an isolated incidence, and many a time, security researchers (or ethical hackers) find vulnerabilities in security systems and choose to keep quiet about them because they fear being prosecuted for their research.
By working with such professionals, your IT team can easily come across vulnerabilities that could have crippled your business. However, it is never enough to wait for such people to approach you with vulnerabilities – you need to assure them that no legal action will be taken against them for their findings. Thankfully, a vulnerability disclosure policy will do just that.
Read on to learn more about using a vulnerability disclosure policy to beef up your security system:
The Risk of Unidentified Vulnerabilities
Imperfection is common in the world of IT, and it is quite easy to have vulnerabilities in your IT assets. The obvious way to help in identifying these vulnerabilities in good time is to invest in state of the art tools such as a server monitoring tool. While these tools have proven to be effective for years, there is still the margin of error in that hackers might identify an error before you can identify it on the tool.
What happens if a malicious individual stumbles on this vulnerability? The chances are that they will wreak havoc in your organization. On the flip side, it doesn’t make sense to threaten a well-wisher who discloses the vulnerability to you before anyone else does. This makes having a well-documented vulnerability disclosure policy vital.
What to Include In Your Policy
Simply put a vulnerability disclosure policy gives hackers, academics and security researchers the permission to access your organizational data remotely and dig for any vulnerabilities. It assures a safe harbor to professionals who put everything on the line by looking for flaws in your security system. Apart from including the rule of engagement when looking for these flaws, perhaps the most important part of the document is addressing the scope allowed to research.
It is vital to indicate the IT assets that are up for grabs. It might not be convenient to offer such individuals permission to tamper with areas that have sensitive information. Additionally, it will be ineffective for them to access testing environments or assets that are quite vulnerable. The document should also explain your preferred method of vulnerability disclosure and the process to follow.
The Policies Are Quite Common
Before receiving the first entry from an external source, most companies are usually blind to vulnerabilities. Most entrants into the market of software development might, in fact, do not have the policies in place. Nonetheless, the policies are quite common.
The US Department of Defense has received more than 3000 reports on different vulnerabilities thanks to using vulnerability disclosure policies. On the other hand, big companies such as Google, Apple, and Microsoft have been using the policies for years and now already have mature systems in place to help identify these threats.
How to Make It Work
Putting the vulnerability disclosure policy together and posting it online is the easy part. The next step is adapting your internal team to the expected flow of security information. Your team needs to have a well-defined policy on what to do once they receive information regarding a vulnerability.
This will include assessing whether the vulnerability is a risk after all and looking to eliminate it. The faster you can eliminate vulnerabilities, the better since most researchers might want to publish their findings online.
Security should never be taken lightly. Anyone with information about a vulnerability shouldn’t feel too intimidated to approach your company. As long as you have a policy in place, it becomes easy to diversify the sources of your security information.