New Security Vulnerability Disclosure Toolkit Released by NCSC
by Raymund Taylun, Senior Security Advisor
17 September 2020
Security vulnerabilities are one of the attack surfaces cyber criminals are exploiting to gain unauthorised access into environments to steal or encrypt confidential data for financial gain.
By sharing security intelligence, organisations can help the UK become more resilient to cyber attacks whilst directly benefitting themselves. Secon Cyber welcomes a new addition from the National Cyber Security Centre (NCSC) to help simplify sharing vulnerability information.
In order to provide organisations and security researchers with appropriate reporting channels to share discovered vulnerabilities, the NCSC has released its own toolkit – The Vulnerability Disclosure Kit. This toolkit aims to bridge the communication gap between organisations and security researchers in order to:
- Enable researchers to report security vulnerabilities to an organisation
- Empower the recipient organisations to take the necessary actions on reported vulnerabilities before they are exploited by cyber criminals.
The toolkit details three essential components, as shown in the image below:
The Vulnerability Disclosure Toolkit provides security.txt file where an organisation can include its company’s security contacts (email address and telephone number), the organisation’s vulnerability disclosure policy and the preferred encryption key that security researchers should use for encrypted communication.
NCSC recommends using security.txt that defines a format to help organisations describe their vulnerability disclosure practices, making it easier for the researchers to report vulnerabilities. This plain text file needs to be published in the /.well-known directory of the domain root following the Internet Standards RFC8615.
This vulnerability reporting process helps organisations expand their visibility on security vulnerabilities, enabling them to take remedial actions before the vulnerability is exploited by a cyber criminal.
This helps organisations manage and reduce any risks by utilising the shared intelligence of independent security researchers and performing necessary actions to address the identified vulnerabilities.
The published document of the Vulnerability Disclosure Toolkit, can be found from the link below: