If someone finds a security issue on your website or in software your company developed, what are they supposed to do with that information? Hopefully they won’t simply announce it to the general public before giving you a chance to fix it, but do you have policies and procedures in place to make it easy for someone to communicate that information to you? HackerOne created a new tool called the Vulnerability Coordination Maturity Model–or VCMM–to help organizations determine where they are on the spectrum and find areas to improve vulnerability communication and response.
I wrote this post about the Vulnerability Coordination Maturity Model:
HackerOne is in the business of vulnerability disclosure and bug bounty programs—helping customers to implement solid strategies for communicating and resolving vulnerabilities effectively. In an effort to help more businesses grasp vulnerability disclosure and coordination HackerOne released a free public benchmarking tool called the Vulnerability Coordination Maturity Model. VCMM for short.
I spoke with Katie Moussouris, chief policy officer for HackerOne, to learn more about VCMM. As the concept of bug bounties gains more mainstream traction more organizations realize they need to have processes and policies in place to govern how vulnerabilities are communicated and managed. When Katie starts to dig in to learn where the company is right now, though, she finds that many have no clue what they’re existing policies or capabilities are. The VCMM was created to give organizations a tool to benchmark where they are so they can identify and prioritize the areas that need to be improved.
Tod Beardsley, security research manager atRapid7, explained that there is a lot of confusion and misunderstanding about what to do when software vulnerabilities are discovered. “The Vulnerability Coordination Maturity Model is an important effort from HackerOne to codify some reasonable minimum standards on how organizations handle incoming, unsolicited vulnerability reports.”
Beardsley shared frustration over the lack of standards when it comes to communicating bugs. Although there has been a guideline in place for over a decade stressing the need for a standard method of communication Beardsley says that 7 out of 10 times he tries to send a message to firstname.lastname@example.org–the established standard for an email address for security communications—he receives a bounced email error.
You can read the full story on CSOOnline.com: HackerOne launches free Vulnerability Coordination Maturity Model tool.