Hacktivity

With our modern-day reliance on digital technology, software and system vulnerabilities have become increasingly hard to avoid. Thoroughly eliminating all these vulnerabilities can be a challenge, but through a coordinated vulnerability disclosure (CVD) program, governments and private companies can mitigate them with the help of independent security researchers. When instituted and followed, a CVD program allows companies to manage the process of disclosure and handling of vulnerabilities in a controlled fashion by working with security researchers to coordinate a set of common terms and a timeline.

Follow Sandra Ortiz, the CEO of a Florida-based hotel chain, as she and her Chief Information Security Officer respond to a crisis that could have been mitigated with a CVD program. Sandra’s story aims to promote a better understanding of CVD practices among policymakers and business leaders, as well as address the misperception of CVD as a catch-all solution for cybersecurity threats. As cyber insecurity affects every aspect of our lives, from how we work to how we travel or how we vote. Grappling with those issues can be overwhelming at times, but CVD empowers us to tackle them together.

About the Scowcroft Center for Strategy and Security

The Scowcroft Center for Strategy and Security works to develop sustainable, nonpartisan strategies to address the most important security challenges facing the United States and the world. The Center honors General Brent Scowcroft’s legacy of service and embodies his ethos of nonpartisan commitment to the cause of security, support for US leadership in cooperation with allies and partners, and dedication to the mentorship of the next generation of leaders.
 

About the Cyber Statecraft Initiative

The focus of the Cyber Statecraft Initiative is to: 1) Examine the nexus of geopolitics and national security with cyberspace; 2) Continue to build out the new field of cyber safety in the Internet of Things; and 3) To help build the next generation of cybersecurity and cyberspace policy professionals.  Throughout all of its work, the Initiative focuses relentlessly on providing practical, innovative, and relevant solutions to the challenges in cyberspace. The Initiative brings together a diverse network of respected experts, bridging the gap between the technical and policy communities.
 

About HackerOne

HackerOne was started by hackers and security leaders who are driven by a passion to make the internet safer. Our platform is the industry standard for hacker-powered security. We partner with the global hacker community to surface the most relevant security issues of our customers before they can be exploited by criminals.

Why CVD?

  • The Cyber Statecraft Initiative Is engaged in this project out of its commitment to convening technologists and policymakers to develop actionable and technically literate policy solutions to secure the future together. Coordinated Vulnerability Disclosure (CVD) is an accepted cybersecurity best practice in mitigating cyber threats by enlisting the support of outside actors and security researchers in reporting software or application vulnerabilities. Despite its resounding success, CVD still faces many challenges. With this comic, we hope to promote better understanding of CVD practices among policymakers and business leaders, as well as the misperception of CVD as a catch-all solution for cybersecurity threats.

 

A Little on Coordinated Vulnerability Disclosure Programs

  • Through a CVD program, members of the security research community can contact organizations and vendors about vulnerabilities that they find in their products, systems, and configurations, giving them time to deploy a fix before those vulnerabilities become public knowledge. When instituted and followed, a CVD program allows companies to manage the process of disclosure and handling of vulnerabilities in a controlled fashion by working with security researchers to coordinate a set of common terms and a timeline. This way, companies can avoid surprises while keeping their customers and systems safe.
  • Unlike bug bounty programs, CVD programs do not always involve paying security researchers, many of whom are just looking to mitigate vulnerabilities of systems or software or hoping to be recognized for their work. Nonetheless, itis still possible (but not necessary) to establish a CVD program by working with outside entities that help coordinate vulnerability reports.
  • Cyber insecurity affects every aspect of our lives, from how we work to how we travel or how we vote. Grappling with those issues can be overwhelming at times, but CVD empowers us to tackle them together. Remember—we are all on the same side against cyber insecurity. You are not alone.

 

Some Facts About CVD

  • FACT #1: There is no “one size fits all” CVD policy—it is up to companies to design their own program. That flexibility means that anyone can adopt CVD, big or small, website- or product-focused.
  • FACT #2: CVD isn’t a magical cure-all. Being aware of software flaws allows your operations team to anticipate potential breaches, but fixing them in a timely fashion is still critical.
  • FACT #3: Not all CVD programs involve bug bounties. Ethical hackers often aren’t in it for the money—they’re there to protect cyber safety and the common good.
  • Find Out More About CVD Here:
    • Angela Simpson, “Improving Cybersecurity Through Enhanced Vulnerability Disclosure,” National Telecommunications and Information Administration, December 15, 2016, https://www.ntia.doc.gov/blog/2016/improvingcybersecurity-through-enhanced-vulnerability-disclosure.
    • Allen D. Householder, Garret Wasserman, Art Manion, and Chris King, “The CERT Guide to Coordinated Vulnerability Disclosure,” Carnegie Mellon University Software Engineering Institute, August 2017, https://insights.sei.cmu.edu/cert/2017/08/the-cert-guide-to-coordinated-vulnerability-disclosure.html.