The proliferation of independent and vendor-sponsored bug bounties has not only put some money in researchers’ pockets, but has also forced enterprises—and software makers—to put processes in place to handle outside bug reports.
“Saying you want one is not enough,” said Katie Moussouris, chief policy officer at bug bounty platform provider HackerOne. “CSOs need to figure out if they’re prepared to receive vulnerability reports from the outside.”
HackerOne today launched its Vulnerability Coordination Maturity Model, a free online assessment that organizations can use to determine where shortcomings may exist in areas such as executive support, communicating with customers and the industry, and incentives, before turning to established ISO standards, for example, that help handle bugs from an root-cause analysis and engineering standpoint.
The Vulnerability Coordination Maturity Model is a free five-minute survey tool that walks you through five top-level capabilities and three maturity levels within each capability that should be in place for a vulnerability program to succeed. The survey determines an organization’s readiness and produces a report that benchmarks where a company stands at a point in time and how it measures up to other organizations. CSOs, for example, can take the report results and figure out how to best funnel resources and new investments.
“You can actually get a lot mileage in these capability areas even if you are a small developer shop,” Moussouris said. “Deciding you’re going to respond to vulnerability reports and having a process to deal with them, you can do that with a single developer. Getting into advanced levels in analysis and engineering requires advanced resources. If you’re going to have a program in place to accept and fix vulnerabilities, you should be able to fold in the resources you need.”
Each capability that is assessed in the model returns a determination of whether an organization is at a basic, advanced or expert level. For example, the section that asks about organizational support puts companies with executive support and a commitment to security as a core value at a basic level. More advanced companies have a policy and process in place for addressing vulnerabilities that align with an established standard such as ISO 29147 or ISO 30111. Expert-level companies have not only expert support and budgeting in place, but also dedicated analysts who handle vulnerability reports. Similar assessments are made for each capability:
Top-level engineering processes should include dedicated bug-tracking and the use of root-cause analysis to eliminate classes of vulnerabilities.
Expert-level analytics track real-time telemetry of public exploits and help establish remediation and feed data back into a software development lifecycle.
Structured information-sharing and appropriate messaging for the research community, business partners, customers and the media are top-level communications attributes
Finally, the model assesses where a company is with incentives; stronger programs structure incentives that disrupt vulnerability markets and go beyond financial rewards or bug bounties for critical vulnerabilities. Part of the incentive model, Moussouris said, is an assurance that an organization will not take legal action against a researcher reporting serious vulnerabilities.
“If you have not figured out how to accept reports from customers or hackers or partners, you have not thought it through, and you’re not thinking about security end to end,” Moussouris said.
HackerOne shared an early preview of the model to a few organizations, including the Food and Drug Administration, Moussouris said.
“They looked at how medical device and health care companies get started with vulnerability coordination. This software affects lives,” she said. “You have to be able to receive vulnerability reports to maintain public safety. They liked the simplicity of the model and ability to digest the data coming out of it. They were anxious to get started on incremental steps to take to get better.”