Duo signed a joint letter penned by Rapid7 recommending the addition of a vulnerability disclosure and handling process in the National Institute of Standard and Technology’s (NIST) cybersecurity framework. NIST’s call for public comment on version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity brought the issue to light.
Several other security companies and organizations, such as Cisco, Symantec, Bugcrowd and many others, including the Center for Democracy & Technology, the Electronic Frontier Foundation (EFF), etc. also signed the letter.
The impetus behind the comments is to clarify the existing elements of the framework and outline processes for receiving, assessing and mitigating security vulnerabilities from outside sources, such as independent researchers.
According to the letter, the benefits of a coordinated vulnerability disclosure and handling process include:
- Organizations can quickly detect and respond to reported vulnerabilities
- This can help them increase the security, data privacy and safety of their systems
- Security researchers or other vulnerability reporters will be protected, and reduce conflict or misunderstanding
- For organizations with limited cybersecurity resources, they can benefit from external discovery of vulnerabilities of their product, services, infrastructure and system configuration
The letter also points out that best practices for vulnerability disclosure and handling processes already exist through the ISO 29147 and 30111 standards, which can serve as useful roadmaps customized to each organization’s needs. Katie Moussouris, co-editor of ISO 29147 vulnerability disclosure & ISO 30111 vulnerability handling processes, has also signed the letter supporting the proposed revisions.
According to Rapid7, if the Framework includes this revision, they hope it will lead to more companies and government agencies adopting these processes, which will both strengthen security overall and ease communication with security researchers.
Read the full letter and get more detailed information on the explicit changes: Joint Comments on "Framework for Improving Critical Infrastructure Cybersecurity" version 1.1 Before the National Institute of Standards and Technology.