There is a need to develop vulnerability disclosure policies, which will address how a health care organization can respond to a researchers report that a product contains a vulnerability. The assurance of the researchers is that they will not be prioritized unfairly for reporting the vulnerability. The health care organization n prioritizes the quality of the system and ensures to have the best policies in the development lifecycle, where it will address vulnerabilities (Householder, Wassermann, & Manion, 2017). There may be challenges to develop a CVD program designing repeatable procedures, and scoring the program to meet the organization’s technical capacity. In the wake of increasing cases of vulnerability such as Heartbleed, a significant technology threat, there is a need for any firm, more so a health care organization, to have a CVD program (Woszczynski, Green, Dodson, & Easton, 2020). This will help in ensuring that it gives submitting potentially unknown and harmful security vulnerabilities to an organization.
The CVD will allow a precise communication mechanism for people to report vulnerabilities in the firm’s products and services. The CVD will not need to belong, but rather be none that contains the elements of promise. Scope, safe harbor, process, and preferences (Pupillo, Ferreira, & Varisco, 2018). This particular CVD will ensure promises and demonstrate clear and reasonable faith commitment to customers and other key stakeholders whose security vulnerabilities may impact. For scope, the CVD will indicate the property and products and the vulnerability types covered, for the process will entail the description of process finders on how to report vulnerabilities. For Safe harbor, the CVD will ensure that the reporters of good faith will not be penalized. Finally, the CVD will endure being a living document that will set the expectations for preferences and priorities on evaluating the reports.
Scope
Our Health organization seeks to be a leader in protecting our user’s security and privacy. Hence it has designed systems with a security-first framework. The organization performs modeling resilience testing to acquire solutions and maintain a secure system through its IT sector. As a result, the organization welcomes security researchers who will inform the company of any vulnerabilities that could put the firm’s safety and security at risk.
The researchers also need to notify the company of any vulnerability that could compromise the integrity, confidentiality, or availability of the organization’s systems. The vulnerability disclosure policy aims to play out when the company interacts with other parties and informs of dialogue with any security researcher who may report any details of vulnerabilities (Kranenbarg, Holt, & van der Ham, 2018). The company intends to ensure that it has integration mechanisms and well associates with others to protect the systems and ensure the safety and security of the users. The scope of the CVD program for the health care organization entails any security vulnerabilities that affect the technological sector of the organization. The following items will be within the scope for the CVD Program:
This is since this can help improve responsiveness by the supplier of the product or the software.
What is expected of the researcher
It is expected that the security researchers are encouraged to undertake vulnerability research. However to be able to differentiate between legitimate research and malicious activity , there is a need for the researchers to :
What you can expect from our company
Once your work in accordance with our policy and the rules and regulations, this is what you can expect from our company:
Reporting a vulnerability can be done by sending a message through our email addresses or using our website. When reporting, a researcher is asked not to abuse the reported vulnerability (Pupillo, 2018). This can be in form of downloading more than necessary data to demonstrate vulnerability, deleting any part of the system or data. Reporters are also asked to exercise caution and ensure to restrain from accessing any personal data. They need to ensure that they do not intentionally engage in any forms of attacks against the third parties, deny service tasks, or in any way causing a nuisance to the other users.
How to submit the vulnerability report?
There is a need to submit a high-quality report to get feedback from our organization team. Some specific issues and elements must be a part of the report to ensure that they demonstrate the quality of the vulnerability. Any reports that are of low quality will be closed and not attended to. This is the recommended format that will be accepted once submitted through our email or website:
Eligibility and Disclosure
To submit vulnerability to be eligible, a researcher will need to agree on the vulnerability disclosure policy. He/she must confirm that he/she is the first person to responsibility confirms an unknown issue. Once the report is sent to our organization, then the legitimate reports will be reviewed and evaluated by our company’s technical and security, who will then determine whether the report is eligible or not (Tucker, 2018). The disclosure may take lace either privately or publicly . For the private disclosure , the vulnerability will be reported discreetly to the firm . The firm may choose to publish the details or not , but will be at its discretion (Kranenbarg, Holt, & van der Ham, 2018). Details of the private disclosure may never be made public at any given point. On the other hand, for the full disclosure , all details of the vulnerability may be made public as soon as they are identified. For the full disclosure, the full details are made public to everyone including potential attackers , where in this case the patch is often available.
Our organization ensures to maintain both a privacy and transparency report. As mentioned in the company’s privacy and security policy, our institution’s websites and services are not to be used by anyone who is below the age of 18. This is due to the Children’s privacy protection Act, which does not permit the company to accept any submissions made by children (Tucker, 2018). Therefore, reports which are below 18 are not eligible to receive any award after making a vulnerability report. However, the company may find another way of recognizing such an effort.
The vulnerability report program is not open to people in the countries that are sanctioned by the US. The decision for the company to pay the rewards to persons who have eligible reports is at the company’s discretion. To get a bonus one, must ensure that he/she abides by the law without failure. He/she is supposed to be responsible for any tax implications or any additional restrictions which solely depend on the countries and local laws. The company holds the right to cancel the program at any time it wishes. Our organization’s employees and family members are not supposed to undertake any vulnerability reporting and are not eligible for any rewards.
The researchers will need to ensure that they consistently conduct their activities with our policy and consider authorized conduct. Failure to do so could lead to the initiation of legal action against them. However, if a third party initiates the legal action, yet the researcher was doing it in line with the policy, we will ensure to undertake steps that make it known that his/her activities were conducted in compliance with our policy. Researchers who report for vulnerabilities once paid by the company will be responsible for paying any taxes associated with the reward. The organization has the right to modify the terms of the program or even terminate the program at any time it wishes. Any of the changes to the program will not be made retroactively. The people prohibited by the law to make such reports are ineligible for rewards or even reporting vulnerabilities.
Policy attributes
The vulnerability policy has several policy attributes, which make it be in line with the company culture and vision: They include
The policy demonstrates a clear and reasonable faith commitment to the clients and other key stakeholders, which the vulnerabilities of securities may potentially impact. This is since all the aspects of the CVD are in line with the vision and mission statement of the organization, where the primary commitment is to the security, customers, and other key stakeholders (Kranenbarg, Holt, & van der Ham, 2018). The CVD ensures statements on why the policy was created and what it is expected to accomplish.
A CVD Procedure based on the policies
Content
After highlighting the policies, there is now a need to understand the procedures that the researchers and reporters will need to report the vulnerability reports to our company. The procedures entail the scope, the time limits, the ways of maintaining contact, and filing re[orts to the organization.
Procedures
The goal of the CVD program will be to ensure that vulnerability reporters have a straightforward process of sharing crucial information regarding a threat or any issues related to the company system.
The first submissions process will include presenting the vulnerability report or any company email provisions or submitting the website. The researcher will be required to refrain from having sensitive information such as PHI, PII as part of the submission to ensure the security or privacy of the user is protected. In the course of the proposal, the following will need to be provided: Contact information which includes name, email address, phone number, home address, and a contact person. This is to be followed by the date and method of discovering the vulnerability, which will help analyze the legibility of the report. There will then be a need to describe the potential vulnerability, including the product name, version number, and configuration details. The reporter will then need to submit the steps of reproducing the vulnerability, including tools and methods m, exploitation code, and privileges required. Finally, there will be the need to provide the results and the likely impacts of the vulnerability.
Upon receiving the vulnerability report, the organization’s security and technical team will acknowledge the receipt within ten business days through an email or a phone call. They will then work together through a well laid system to evaluate and validate the research findings. The first process will be to collect the vulnerability report, which will be done in three ways. First, there will be the evaluation of the vulnerability information to establish that it is eligible for the following process. This will be followed by monitoring of public sources with the aim of understanding whether there is other vulnerability information related to this is public. The third way will be to assess whether there are direct reports of a similar vulnerability with the security system. After receiving the information, the security departments will perform an initial analysis of accessing the vulnerability and comparing with other existing reports to identify any likely duplicates. This will then be followed by cataloging the vulnerability reports, including all known information regarding the vulnerability.
The second process will entail an in-depth analysis of the vulnerability. After cataloging the information, there will be a need for a team to work and understand the vulnerabilities by examining the technical issues and assessing the potential risks the vulnerability represents. The third step will involve mitigation coordination. This will entail working together with technical and security teams to establish the best mitigation techniques for dealing with the vulnerabilities (Tyzenhaus, 2018). The process will entail developing programs and software that can protect the system against any threats presented by the vulnerabilities identified.
The fourth stage will include the application of the mitigation. The teams will ensure that they facilitate time for the faced end users to obtain, test, and apply mitigation strategies before having a public disclosure of the new measures undertaken. Finally, there will be the disclosure stage. This will coordinate with the affected stakeholders and the teams to notify users about the vulnerability while using multiple channels. The organization will strive to disclose accurate, neutral, and objective information focused on technical remediation and mitigation.
After analyzing the report, the company will contact the reported to either request additional information needed or to advise on the right next course of action. This may include rewarding him/her for helping the company in protecting its systems and its users. However, in some events, a reporter who may have done an illegal act or failed to adhere to the policies may be summoned for a lawsuit for action since this would comprise the system’s security and users.
All the vulnerability reporters must be aware that our institution greatly protects our customers’ health, well-being, and safety, and personal information. Wen conducting the security research, they will need to consider the consumer, the end-user, a top priority and ensure that all his/her data is safeguarded, failure to which it might expose him/her. The researcher is expected to avoid any actions that would cause harm to the patient or the institution’s products (Householder, Wassermann, & Manion, 2017). It is also essential to note that vulnerability testing could also negatively impact a product. It is, therefore, crucial to avoid testing on active products in a clinical setting. Likewise, it is not advisable to use products subjected to security testing and not be used in a clinical setting.
In case of any doubt, the researcher should always communicate with our organization to ensure that nothing goes wrong in his vulnerability testing process. It is also to be noted that our organization reserves the right to modify its coordinated vulnerability disclosure process at any given time. The firm does not need to notice its modification and can make exemptions on a case-by-case basis. The firm also does not guarantee any particular levels of response on the issue. However, in the event of a vulnerability, the firm promises to acknowledge and attribute recognition to the researcher who has reported the vulnerability. There is always the need to ensure that when researching a vulnerability, ensure that all the guidelines and policies are fowled to the latter to avoid any future conflicts and disagreements with the organization, leading to multiple lawsuits.
The time frames for mitigation development and schedule disclosure could be affected by multiple factors. Some of the factors likely to affect the time; line include threats of a severe nature, active exploitation, and or situations that would require changes to the established standards (Kranenbarg, Holt, & van der Ham, 2018). Other factors may consist of if the vulnerability has already been publicly disclosed, e.g., published by a researcher. Another reason may be the potential impact of acritical infrastructure that may be interfered with the system. The issue of national security in the system may also significantly affect the time frame for mitigations since the organization has to abide by the laws. Other factors may include public health or safety, which has to be protected at all costs. When there is an availability of effective mitigations, the team’s responsibility for developing either an update or a patch could also derail the disclosure timeline. Finally, an estimation of time by the researcher on obtaining a test and applying a patch could be wrong, leading to more derailment of the timeline.
After the disclosure takes place, the organization has the mandate to recognize the researcher and publish his/her name in the publications or media to acknowledge his/her efforts. He/she may also be constantly get updated on the progress of the mitigation efforts and may be called to help the organization in case his/her expertise is needed.
Householder, A. D., Wassermann, G., & Manion, A. &. (2017). The cert guide to coordinated vulnerability disclosure. Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States.
Kranenbarg, M. W., Holt, T. J., & van der Ham, J. (2018). Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure. Crime Science, 7(1), 1-9.
Pupillo, L. (2018). EU Cybersecurity and the Paradox of Progress. CEPS Policy Insights No 2018/06, February 2018.
Pupillo, L., Ferreira, A., & Varisco, G. (2018). Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018.
Tucker, L. (2018). VULNERABILITY DISCLOSURE POLICY BASICS: 5 CRITICAL COMPONENTS. Retrieved from https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components
Tyzenhaus, L. (2018). Coordinated Vulnerability Disclosure. Carnegie Mellon University Software Engineering Institute Pittsburgh United States.
Woszczynski, A., Green, A., Dodson, K., & Easton, P. (2020). Zombies, Sirens, and Lady Gaga–Oh My! Developing a framework for coordinated vulnerability disclosure for US emergency alert systems. Government Information Quarterly, 37(1), 101418.