Leading by example. Cybersecurity Tech Accord welcomes new signatories and agrees to implement vulnerability disclosure policies across the group

Today, the Cybersecurity Tech Accord welcomes four new companies to its ranks, bringing the total number of signatories to 111 companies committed to improving the security of cyberspace. Archive360, Exeltek Consulting Group, Indra Minsait, and Professional Options, all join in the pledge to protect users and customers everywhere. This expansion further deepens the group’s worldwide reach, highlighting the global nature of the challenges we face.

“The Exeltek Consulting Group is proud to sign the Cybersecurity Tech Accord alongside other organizations who have prioritized their commitment to cybersecurity. We’re eager to collaborate with our fellow signatories to make the internet a safer place for all. By sharing knowledge on emerging threats, engaging in coordinated vulnerability disclosure, and improving best practices, we’re confident that a more secure world is within our collective reach,” said Gotham Sharma, Managing Director, Exeltek Consulting Group.

“Archive360 is honored to join the Cybersecurity Tech Accord and supports the prioritization of cyberspace security. This effort will require continued collaboration with our partner community on identifying emerging threats, sharing research, and creating best practices to develop new policies, regulations, and control the costs of a comprehensive cyberspace stratagem,” said Bill Tolson, Vice President of Global Compliance, Archive360.

Over the past year, the Cybersecurity Tech Accord signatories have come together to support numerous initiatives that seek to increase the security of the online ecosystem, in addition to investing in discreet workstreams. From the onset there has been one issue that we have vocally supported – the need for governments and industry to adopt vulnerability disclosure policies. Today we are proud to announce that all 111 signatories have committed to adopt vulnerability disclosure policies by the end of the year, and more than half already have such policies in place.

“Professional Options recognises rising cyber security threats in all sectors, and whether they are from isolated actors, members of organised crime or rogue nation-states, they are not only causing increasing losses but impacting public perception regarding the safety of critical systems. Underinvesting in security and not having mitigations in place or shared resources to respond to incidents is unfortunately too common, which is why policy and security protocols should be the highest priority. An accord not only benefits organisations that embrace these goals, but the world-at-large. We are proud to sign the Cybersecurity Tech Accord,” said Doña Keating, President and CEO, Professional Options.

Vulnerabilities, in this context, refer generally to points of weakness in technology products and services that could, unless fixed, potentially be exploited by malicious actors to cause harm. While not all vulnerabilities present security challenges, the potential for risk illustrates why it is so critical that technology companies have policies in place establishing how vulnerabilities are reported and mitigated in a timely fashion. Vulnerabilities can take different forms depending on the technology in question (i.e. hardware, software etc.) and business models can also impact how challenges and solutions can be most efficiently communicated.

We recognize that there are different approaches to implementing vulnerability disclosure policies. Today within the Cybersecurity Tech Accord, signatory companies have adopted diverse paths to best reflect the needs of their organizations and their customers. While each approach may differ, there are foundational qualities that they should all share based on the good practices, such as those identified by the Global Forum for Cyber Expertise (GFCE). They include:

  • Establishing clear protocols to process incoming reports of vulnerabilities, and to investigate them;
  • Allocating necessary resources to implement policies that address and remediate vulnerabilities; and
  • Maintaining robust communications with all relevant stakeholders.

Furthermore, approaches could include the adoption of emergent protocols like security.txt, a website security standard that allows for the streamlined reporting of vulnerabilities by security researchers so they can be efficiently remediated. Another may also include vulnerability disclosure safe harbor policies, which ensure that researchers who accidentally or in good faith exceed the bounds of the disclosure policy are nonetheless protected from civil or criminal action at the behest of the entity. Other signatories, such as Microsoft and HP, have adopted Coordinated Vulnerability Disclosure policies, meant to ensure that vulnerabilities are shared in a prioritized and strategic way, first with vendors or other authorities in a position to develop solutions, which can then be provided to users and customers.

As the largest coalition of global technology firms committed to improving the cybersecurity ecosystem, the decision to adopt vulnerability handling policies is a significant step forward. With the expansion of new signatories and a concrete commitment to a security best practice, the Cybersecurity Tech Accord signatories hope to continue to raise cybersecurity to a higher level.  In addition to the immediate benefits to our respective users and customers, we also hope that supporting such policies will set an example for other tech companies around the world seeking to employ responsible best practices to improve security. Moreover, we hope this further highlights the importance of transparent vulnerability handling for governments as well.