• United States



Senior Staff Writer

Organizations get vulnerability maturity model

Sep 22, 20152 mins
Application SecurityIT LeadershipTechnology Industry

Simple quiz offers a baseline for organizations looking to deal with disclosure issues

number gauge measure
Credit: Thinkstock

Despite the age of the argument, disclosure is still a hot topic. However, some organizations aren’t ready to deal with researchers who disclose vulnerabilities.

Now, HackerOne is offering organizations a chance to discover their maturity level when faced with such a situation.

The tool is called the Vulnerability Coordination Maturity Model (VCMM).

Created by Katie Moussouris, HackerOne Chief Policy Officer, all an organizations has to do is answer a few questions, and they’ll get an overview of where they stack-up against their peers when it comes to the disclosure process and vulnerability mitigation.

Considering that recent events with FireEye have brought the topic of bounty programs and the disclosure process back to center stage, organizations that don’t have a process in place to deal with disclosure can use the HackerOne tool as a conversation starter within the company.

The video embedded below offers a full overview, but at a minimum the following are a list of things a company needs to meet the basic levels of maturity:

Organizational: Executive support to respond to vulnerability reports, and a commitment to security and quality as a core organizational value

Engineering: A clear way to receive vulnerability reports, and an internal bug database to track them to resolution (See ISO 29147)

Communications: The ability to receive vulnerability reports and a verifiable channel to distribute advisories to affected parties (See ISO 29147)

Analytics: Track the number and severity of vulnerabilities over time to measure improvements in code quality

Incentives: Show thanks or give swag. Clearly state that no legal action will be taken against researchers who report bugs