Today, the Cybersecurity Tech Accord takes a step forward in enhancing cybersecurity best practices by endorsing greater transparency around receiving, handling and communicating about vulnerabilities. In doing so, we echo guidance from the Global Forum on Cyber Expertise (GFCE)’s Global Good Practices on Coordinated Vulnerability Disclosure (CVD). Launched in 2015 in The Hague, the GFCE is a global platform that aims to strengthen cyber capacity and expertise globally, while upholding the values of an Internet that is free, open, and secure. Today’s endorsement of the GFCE’s CVD good practice for transparency by the Cybersecurity Tech Accord – a group of leading technology companies committed to protect and empower civilians online and to improve the security, stability and resilience of cyberspace – demonstrates our signatories’ commitment to minimizing the harm to society resulting from the malicious exploitation of vulnerabilities. In addition, on an ongoing basis, we also commit to working with the GFCE to achieve greater alignment between the Global Good Practices Guide and best practices for CVD in use by Cybersecurity Tech Accord companies.
Nearly – if not all – organizations and individuals use software today: it runs in products we use every day such as laptops, mobiles, TVs, cars, or even household appliances, but also enables critical infrastructures and services, from public transportation to hospitals, banks, governments, and electricity/water supplies. Any weaknesses in software can enable an attacker to compromise the integrity of these products and services. In an interconnected world, our ability to manage the risks that can be associated to their use is therefore essential.
Software vulnerabilities have become more prevalent and must be reduced to strengthen cybersecurity: over 14,500 new vulnerabilities were recorded in 2017, compared with just 6,000 the previous year. As vulnerabilities can be maliciously exploited, it is crucial that the affected vendors are informed when they are found, enabling vendors to resolve the issue without exposing users to undue risk.
While the process of disclosing such vulnerabilities can be straightforward, a vast number of different stakeholders are involved (e.g., manufacturers, vendors, reporters, government agencies, IT security providers), adding significant operational and legal complexities. Moreover, stakeholders may have very different motivations to disclose (or not) vulnerabilities: technology companies would want to preserve the integrity and security of their products and services and, ultimately, their reputations; security firms could profit from sharing such information; researchers may want to use vulnerabilities for academic purposes; and, criminals could exploit them.
CVD can significantly contribute to addressing these issues prior to public release. The Cybersecurity Tech Accord signatories strongly believe in CVD and support the idea that this approach should be endorsed by all companies – not just software companies – that develop technology. While there have been different approaches to CVD, the GFCE has, in our view, developed the most comprehensive guide for good practices.
This guide was published in 2017, building on the efforts of the Dutch, Hungarian, and Romanian governments and industry representatives to establish proven cooperation mechanisms within the cyber security community to effectively find and fix software vulnerabilities. It outlines a set of good practices for all stakeholders involved. From an industry perspective, it proposes that manufacturers, vendors, and user organizations should:
- Use existing standards and guidelines (e.g. ISO/IEC standards, FIRST’s guidelines, ENISA good practice, OIS framework);
- Implement the required processes to deal with incoming reports, investigate the reported vulnerabilities, and communicate with reporters, being as transparent as practicable about risk-based remediation timelines. This also includes publishing CVD policies on organizations’ websites;
- Allocate adequate resources to implement CVD policies to ensure that organizations have the necessary expertise. This could include running a pilot and starting with a narrow set of in-scope products/services, using a third-party bug bounty platform, and/or consulting with similarly situated organizations that have CVD policies and processes in place;
- Ensure continuous communication with all stakeholders, explicitly stating expectations towards reporters and third-party organizations;
- Agree on timelines on a case-by-case basis, avoiding a ‘one-size-fits-all’ policy and maintaining flexibility in handling various vulnerability discovery cases;
- And provide a clear explanation of pros and cons to the legal counsel, ensuring they have a good understanding of the national legal framework on CVD and the importance and advantages of CVD for an organization. Legal counsel needs to have the right information to give the best legal advice.
As a first concrete step, the Cybersecurity Tech Accord’s signatories commit to publish their CVD policies, in line with one of the GFCE’s best practices inviting organizations to be as transparent as possible (links below). In addition, we call on more technology companies to adopt CVD policies and hope to announce further actions to encourage this initiative in the coming months.
CVD policies of the Cybersecurity Tech Accord signatories:
ABB | ACCESS SMART | ANCHOR FREE | ALITER | ANOMALI | ARM | ATLASSIAN | AVAST | AVEPOINT | BALASYS | BILLENNIUM | BITDEFENDER | BT | CAPGEMINI | CARBON BLACK | CISCO | CLOUDFLARE | COGNIZANT | CONTRAST SECURITY | CYBER SERVICES | DATASTAX | DELL | DOCUSIGN | ESET | FACEBOOK | FASTLY | FIREEYE | FRACTAL INDUSTRIES | F-SECURE | G DATA | GIGAMON | GITHUB | GITLAB | GUARDTIME | HITACHI | HP INC | HPE | IMPERVA | INTEGRITY PARTNERS | INTUIT | JUNIPER NETWORKS | KOOLSPAN | KPN | LINKEDIN | MEDIAPRO | MERCADO LIBRE | MICROSOFT | NIELSEN | NOKIA | NTT | ORACLE | PANASONIC | PANDA | PREDICA | ROCKWELL AUTOMATION | RSA | SAFETICA | SALESFORCE | SAP | SECUCLOUD | SILENT BREACH | SONDA | STACKPATH | STRIPE | SWISSCOM | TAD GROUP | TANIUM | TELECOM ITALIA | TELEFONICA | TELELINK | TENABLE | THREATMODELER SOFTWARE INC | TRENDMICRO | VMWARE | WISEKEY
About the Global Forum on Cyber Expertise (GFCE)
The Global Forum on Cyber Expertise (GFCE) is a global platform for countries, international organizations, and private companies to exchange best practices and expertise on cyber capacity building. The aim is to identify successful policies, practices, and ideas and multiply these on a global level. Together with partners from NGOs, the tech community, and academia GFCE members develop practical initiatives to build cyber capacity.