The UK National Cyber-Security Centre has published a toolkit to help organisations setup a vulnerability disclosure programme.
A vulnerability disclosure programme makes it easy for someone to provide your organisation with information if they notice a vulnerability that could impact your security. Without such a programme in place, concerned clients or researchers have to resort to using social media to try to share their discovery which may undermine customer confidence and draw the attention of bad actors who attempt to take advantage of the situation before you have time to resolve it.
The NCSC Vulnerability Disclosure Toolkit is designed around three principles:
- Communication – make it easy for people to find out how to contact you with a security disclosure
- Policy – have a clear policy that defines how you will respond to a disclosure (an example policy is included)
- txt – NCSC recommends adopting the proposed Security.txt standard
What is Security.txt?
Security.txt is a proposed standard which allows websites to define security policies. By placing a text file into ‘/.well-known/security.txt’ which contains contact details to use in order to disclose a security vulnerability. The scheme also includes the option to digitally sign the file with an OpenPGP cleartext signature (to prevent attackers from modifying it).