According to the Breach Level Index, more than 5 million data records are lost or stolen every day. The vulnerabilities that permeate complex systems can impact both enterprise data and personal data. If exploited, these vulnerabilities can have significant real-world consequences.
However, we are starting to see an unprecedented change in the industry as well – change for the better. There are new policies and standards in place that are driving organizations to ensure they are prepared to receive vulnerability data from external parties, such as the NIST Cybersecurity Framework, and others including:
- Open Source Responsible Disclosure Framework by Bugcrowd
- The DOJ’s “A Framework for a Vulnerability Disclosure Program for Online Systems”
- The NTIA’s multi-stakeholder work on vulnerabilities and disclosure
- The International Organization for Standardization’s guidance on vulnerability disclosure (ISO 29147, Vulnerability Disclosure)
- The 18F vulnerability disclosure playbook
A Vulnerability Disclosure Program (VDP) is a vital part of how companies are managing the risks that vulnerabilities can pose. The recent momentum behind these types of programs demonstrates that corporations and government agencies alike are committed to both taking vulnerabilities seriously, and adding transparency in the disclosure of their vulnerability efforts.
But setting up a Vulnerability Disclosure Program and understanding what goes into it is not always intuitive. Knowing what questions to ask before jumping in will help you set yourself up for success. To that end, our new Vulnerability Disclosure Program Guide will go over 6 key questions to ask before implementing a vulnerability disclosure program.
We’re also hosting a webinar “5 Keys to Understanding Vulnerability Disclosure Programs,” featuring Founder and CTO, Casey Ellis, and VP of Trust and Security, Jason Haddix, on April 5 at 11 AM PST to discuss:
- 5 keys to understanding vulnerability disclosure
- The impact Vulnerability Disclosure Program is having on the industry
- Why implementing a Vulnerability Disclosure Program is no longer a nice-to-have, but a necessity