Vulnerability Disclosure: Considerations, Risks, And Costs

Vulnerability Disclosure Programs (VDPs) are, at the most basic level, mechanisms for security researchers to report vulnerabilities they find to an organization. VDPs are not only a security best practice but they are also becoming increasingly prevalent in security frameworks like NIST SP 800-53 Rev. 5 and mandates like the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 20-01, which requires that all United States civilian agencies develop and publish a vulnerability disclosure policy.

According to Melissa Vice, COO for the Department of Defence vulnerability disclosure program on the Wiley Connected Podcast, “DoD Cyber: A Conversation with Melissa Vice, COO for DoD’s Vulnerability Disclosure Program,” a good Vulnerability Disclosure Program should have a policy, channel, and process for responsible disclosure.

Does a security email alias or a web form check the box for vulnerability disclosure? What constitutes good responsible disclosure or a VDP? Can it be built in-house or are vendors a more effective route?