HackerOne is in the business of vulnerability disclosure and bug bounty programs—helping customers to implement solid strategies for communicating and resolving vulnerabilities effectively. In an effort to help more businesses grasp vulnerability disclosure and coordination HackerOne released a free public benchmarking tool called the Vulnerability Coordination Maturity Model. VCMM for short.
I spoke with Katie Moussouris, chief policy officer for HackerOne, to learn more about VCMM. As the concept of bug bounties gains more mainstream traction more organizations realize they need to have processes and policies in place to govern how vulnerabilities are communicated and managed. When Katie starts to dig in to learn where the company is right now, though, she finds that many have no clue what they’re existing policies or capabilities are. The VCMM was created to give organizations a tool to benchmark where they are so they can identify and prioritize the areas that need to be improved.
Tod Beardsley, security research manager at Rapid7, explained that there is a lot of confusion and misunderstanding about what to do when software vulnerabilities are discovered. “The Vulnerability Coordination Maturity Model is an important effort from HackerOne to codify some reasonable minimum standards on how organizations handle incoming, unsolicited vulnerability reports.”
Beardsley shared frustration over the lack of standards when it comes to communicating bugs. Although there has been a guideline in place for over a decade stressing the need for a standard method of communication Beardsley says that 7 out of 10 times he tries to send a message to firstname.lastname@example.org established standard for an email address for security communications—he receives a bounced email error.
“No software is immune to bugs; for most organizations it’s not a matter of if they’ll have an external hacker reporting security vulnerabilities, but when,” said Katie Moussouris in a press release statement. “This maturity model shows how to build muscles and reflexes in vulnerability coordination to improve the security of an organization’s software, and the outcome for all parties when vulnerabilities are disclosed."
You don’t need to be a vulnerability or security expert to take advantage of the VCMM. In fact, that’s sort of the point. Beardsley praised the HackerOne tool and expressed confidence that VCMM is a solid step in the right direction. “The work that HackerOne has put into this document is clear, concise, and it shouldn't trigger the fear and anxiety that normally accompanies a one-off vulnerability disclosure that arrives out of the blue.”
Do you want to find out where your organization lies on the Vulnerability Coordination Maturity Model spectrum? Just visit HackerOne and answer a few questions to take advantage of the VCMM.