Security News > 2020 > September > UK's NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process
The U.K.'s National Cyber Security Center has released a guide to help organizations get started with implementing a vulnerability disclosure process.
A well-defined vulnerability disclosure program, NCSC argues, prevents reputational damage that public disclosure may cause, and allows companies not only to establish a way to take action on the identified vulnerabilities, but also to inform the reporting entity that the issue is being managed.
"The international standard for vulnerability disclosure defines the techniques and policies that can be used to receive vulnerability reports and publish remediation information. The NCSC designed this toolkit for organisations that currently don't have a disclosure process but are looking to create one," the organization notes.
A clear policy toward vulnerability disclosure is also essential, as it would inform vulnerability finders of what an organization expects from them, such as how they should contact the organization, what secure communication forms are available, and what information a vulnerability report should include.
"One of the most important elements of vulnerability disclosure, and a challenge for the finder, is understanding who to contact. Security.txt is a proposed Internet standard and it describes a text file that webmasters can host in the '/.well-known' directory of the domain root. It advertises the organization's vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability," NCSC also notes.