Someone politely knocks on your door and reports that there’s a hole in your wall big enough for a person to climb through. You immediately threaten legal action. Crazy? In the world of vuln research, this happens. This session will review a Vuln Disclosure Maturity Model created describe best-in-class practices. For any company wanting to get better bug reports faster—this session is a must.
(Source: RSA USA 2016-San Francisco)
The 7 Things I Know About Cyber Security After 25 Years | April 2024
…But Now I See—A Vulnerability Disclosure Maturity Model
1. Presenter’s Company
Logo – replace on
master slide
#RSAC
SESSION ID:
#RSAC
…But Now I See - a Vulnerability
Disclosure Maturity Model
HT-R04F
2. Presenter’s Company
Logo – replace on
master slide
#RSAC
Who the FSCK Are You? What is it you do here?
2
Chief Policy Officer, HackerOne
Former Microsoft Security
Strategist
Former Hacker for Hire
ISO Standards Editor
New America Foundation Fellow
MIT Sloan Visiting Scholar
Harvard Belfer Affiliate
3. Presenter’s Company
Logo – replace on
master slide
#RSAC
Measuring Our Maturity
3
How would you answer these questions?
When someone emails security@mycompany, who responds? How
quickly?
Would my company’s legal department threaten a well-intentioned
hacker who came to us with a valuable bug?
4. Presenter’s Company
Logo – replace on
master slide
#RSAC
Measuring Our Maturity
4
Does engineering prioritize the importance of product features
alongside security bugs that come in from the wild?
If a reporter asked my CEO about a breach reported at our company,
would she know what steps were taken to ensure user safety?
Is $10,000 is too much, too little, or just right to offer a hacker for a
bug?
5. Presenter’s Company
Logo – replace on
master slide
#RSAC#RSAC
The 5 Key Elements of Vulnerability
Coordination Maturity
6. Presenter’s Company
Logo – replace on
master slide
#RSAC
Vulnerability Coordination Maturity Model
6
New model for organizations to assess
maturity of their vulnerability coordination
process
Model guides how to organize and improve
efforts inside and outside of an
organization
5 Capability Areas: Organizational,
Engineering, Communications, Analytics
and Incentives
3 Maturity Levels for each Capability: Basic,
Advanced or Expert
Companies can benchmark their
capabilities against the industry
Analytics
Communications
EngineeringIncentives
Organizational
7. Presenter’s Company
Logo – replace on
master slide
#RSAC
Organizational
7
Level Capability
Basic Executive support to respond to vulnerability reports and a
commitment to security and quality as core organizational
values.
Advanced Policy and process for addressing vulnerabilities according to
ISO 29147 and ISO 30111, or a comparable framework.
Expert You have executive support, processes, budget and dedicated
personnel for handling vulnerability reports.
People, process, and resources to handle potential vulnerabilities
9. Presenter’s Company
Logo – replace on
master slide
#RSAC
Engineering
9
Level Capability
Basic Clear way to receive vulnerability reports, and an internal bug
database to track them to resolution. See ISO 29147.
Advanced Dedicated security bug tracking and documentation of security
decisions, deferrals, and trade-offs.
Expert Use vulnerability trends and root cause analysis to eliminate
entire classes of vulnerabilities. See ISOs 29147, 30111, 27034.
Capabilities to evaluate and remediate security holes, and improve software development lifecycle
11. Presenter’s Company
Logo – replace on
master slide
#RSAC
Communications
11
Level Capability
Basic Ability to receive vulnerability reports and a verifiable channel
to distribute advisories to affected parties. See ISO 29147.
Advanced Tailored, repeatable communications for each audience,
including security researchers, partners, customers, and media.
Expert Structured information sharing programs with coordinated
distribution of remediation.
Ability to communicate to audiences internally and externally about vulnerabilities.
13. Presenter’s Company
Logo – replace on
master slide
#RSAC
Analytics
13
Level Capability
Basic Track the number and severity of vulnerabilities over time to
measure improvements in code quality.
Advanced Use root causes analysis to feed back into your software
development lifecycle. See ISOs 29147, 30111, 27034.
Expert Track real-time telemetry of active exploitation to drive
dynamic pivots of remediation strategy.
Data analysis of vulnerabilities to identify trends and improve processes.
15. Presenter’s Company
Logo – replace on
master slide
#RSAC
Incentives
15
Level Capability
Basic Show thanks or give swag. Clearly state that no legal action will
be taken against researchers who report bugs.
Advanced Give financial rewards or bug bounties to encourage reporting
the most serious vulnerabilities.
Expert Understand adversary behavior and vulnerability markets, and
structure advanced incentives to disrupt them.
Ability to encourage security researchers to report vulnerabilities directly.
17. Presenter’s Company
Logo – replace on
master slide
#RSAC#RSAC
Measuring Success in Vulnerability
Disclosure
A look at 100+ Companies
18. Presenter’s Company
Logo – replace on
master slide
#RSAC
Measuring Success in Vulnerability Disclosure
18
Survey Data
N=194
IT/Security Professionals
Collected between Sept. 2015 – Jan. 2016 via online survey
19. Presenter’s Company
Logo – replace on
master slide
#RSAC
Measuring Success in Vulnerability Disclosure
19
Capability Mean Score
Analytics 1.52
Communications 1.38
Engineering 1.49
Incentives 1.09
Organizational 1.59
Analytics
Communications
EngineeringIncentives
Organizational
21. Presenter’s Company
Logo – replace on
master slide
#RSAC
Measuring Success in Vulnerability Disclosure
21
Analytics Comms Engineering Incentives Organizational
Finance 1 5 1 2 2
Technology -
Mobile Apps
2 1 2 1 1
Technology - B2B 3 4 4 3 4
Healthcare 4 6 5 8 7
Manufacturing 5 2 3 4 5
Government 6 8 9 10 6
Unknown 7 3 7 6 9
Education 8 7 6 9 8
Technology - B2C 9 10 8 5 10
Other 10 9 10 7 3
Rank of Industry by Capability, min. 10 respondents (1 = best, 10 = worst)
22. Presenter’s Company
Logo – replace on
master slide
#RSAC
Technology – B2B vs Overall Average
22
Analytics
Communications
EngineeringIncentives
Organizational
Overall Average Technology - B2B
23. Presenter’s Company
Logo – replace on
master slide
#RSAC
Government vs Overall Average
23
Analytics
Communications
EngineeringIncentives
Organizational
Overall Average Government
24. Presenter’s Company
Logo – replace on
master slide
#RSAC
Finance vs Overall Average
24
Analytics
Communications
EngineeringIncentives
Organizational
Overall Average Finance
25. Presenter’s Company
Logo – replace on
master slide
#RSAC
Sample Company – Riot
25
Capability Average Riot
Analytics 1.52 2
Comms 1.38 2
Engineering 1.49 3
Incentives 1.09 3
Org. 1.59 3
Analytics
Comms
EngineeringIncentives
Organizational
Riot vs. VCMM Average
Average Riot
26. Presenter’s Company
Logo – replace on
master slide
#RSAC
Sample Company – Adobe
26
Capability Average Adobe
Analytics 1.52 2
Comms 1.38 2
Engineering 1.49 3
Incentives 1.09 1
Org. 1.59 3
Analytics
Comms
EngineeringIncentives
Organizational
Adobe vs. VCMM Average
Average Adobe
27. Presenter’s Company
Logo – replace on
master slide
#RSAC
Sample Company – ToyTalk
27
Capability Average ToyTalk
Analytics 1.52 2
Comms 1.38 2
Engineering 1.49 3
Incentives 1.09 3
Org. 1.59 3
Analytics
Comms
EngineeringIncentives
Organizational
ToyTalk vs. VCMM Average
ToyTalk Average
28. Presenter’s Company
Logo – replace on
master slide
#RSAC
Next Steps
28
Continue to gather data
Non self-reported
Larger sample size
Multi-vendor coordination is needed
29. Presenter’s Company
Logo – replace on
master slide
#RSAC#RSAC
Put Your Organization To The Test – Where
Do You Rank
30. Presenter’s Company
Logo – replace on
master slide
#RSAC
“Apply”
30
Take the free maturity assessment within minutes at
hackerone.com/vulnerability-coordination-maturity-model