Earlier this month, the National Institute of Standard and Technology’s (NIST) cybersecurity framework released a revision (1.1, Draft 2) of its Framework for Improving Critical Infrastructure Cybersecurity. The new release now includes vulnerability disclosure processes as part of the Framework Core (on page 43).
This revision contains an important addition, the result of an industry effort. Last spring a number of organizations, including Rapid7, Duo Security, Cisco, Symantec (and yours truly, Bugcrowd) submitted a letter in response to NIST’s call for public comment on the framework.
The current draft now includes the following:
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
This language is very close to that suggested in the letter’s primary recommendation: “Processes are established to receive, analyze, and respond to vulnerabilities disclosed to the organization from external sources.”
The revised Framework also mentions researchers in its Tier 1 implementation (pg. 10). Another exciting addition, and one that paves the way for the whitehat community to partner with organizations.
This is a major and incredibly important move by NIST. The news comes on the heels of another year of escalating cyber attacks and a growing focus from the federal government on vulnerability disclosure. Policy makers are responding, and it’s a positive thing.
Adding to the positive changes, the White House recently released the Federal IT Modernization Report. This report positions vulnerability disclosure as the best-practice approach to external security testing for the U.S. Government. This is another major step forward not only for the bug bounty model, but most importantly, for the security of everyone in the U.S.
2017 was undoubtedly another year of escalation in size, scope and scale of cyber attacks. It goes without saying that this past year every single American was impacted by at least one of these breaches. But it’s been a year of unprecedented change as well – change for the better. With policies and standards in place such as NIST, Data Security and Breach Notification Act, it’s now incumbent on organizations to ensure they are setup to receive vulnerability data from external parties and is already becoming an adhered-to standard for major private organizations.
On behalf of Bugcrowd, thank you to all of those who responded to the call and expressed support for this very positive change!