Coordinated Vulnerability Disclosure (CVD) Policy and Procedure Essay

There is a need to develop vulnerability disclosure policies, which will address how a health care organization can respond to a researchers report that a product contains a vulnerability. The assurance of the researchers is that they will not be prioritized unfairly for reporting the vulnerability. The health care organization n prioritizes the quality of the system and ensures to have the best policies in the development lifecycle, where it will address vulnerabilities (Householder, Wassermann, & Manion, 2017).  There may be challenges to develop a CVD program designing repeatable procedures, and scoring the program to meet the organization’s technical capacity.  In the wake of increasing cases of vulnerability such as Heartbleed, a significant technology threat, there is a need for any firm, more so a health care organization, to have a CVD program (Woszczynski, Green, Dodson, & Easton, 2020). This will help in ensuring that it gives submitting potentially unknown and harmful security vulnerabilities to an organization.

The CVD  will allow a precise communication mechanism for people to report vulnerabilities in the firm’s products and services.  The CVD will not need to belong, but rather be none that contains the elements of promise. Scope, safe harbor, process, and preferences (Pupillo, Ferreira, & Varisco, 2018).  This particular CVD will ensure promises and demonstrate clear and reasonable faith commitment to customers and other key stakeholders whose security vulnerabilities may impact.  For scope, the CVD will indicate the property and products and the vulnerability types covered, for the process will entail the description of process finders on how to report vulnerabilities. For Safe harbor, the CVD will ensure that the reporters of good faith will not be penalized.  Finally, the CVD will endure being a living document that will set the expectations for preferences and priorities on evaluating the reports.

Scope

Our Health organization seeks to be a leader in protecting our user’s security and privacy. Hence it has designed systems with a security-first framework. The organization performs modeling resilience testing to acquire solutions and maintain a secure system through its IT sector. As a result, the organization welcomes security researchers who will inform the company of any vulnerabilities that could put the firm’s safety and security at risk.

The researchers also need to notify the company of any vulnerability that could compromise the integrity, confidentiality, or availability of the organization’s systems.  The vulnerability disclosure policy aims to play out when the company interacts with other parties and informs of dialogue with any security researcher who may report any details of vulnerabilities (Kranenbarg, Holt, & van der Ham, 2018). The company intends to ensure that it has integration mechanisms and well associates with others to protect the systems and ensure the safety and security of the users. The scope of the CVD program for the health care organization entails any security vulnerabilities that affect the technological sector of the organization. The following items will be within the scope for the CVD Program:

• The health organization authorizes good-faith research into any of its digital systems and assets, including the company website, the website infrastructure that AWS, and any other institution repository host.
• Some of the vulnerabilities that are out of scope include physical security for the institution and any feature related to social engineering.
• For the vulnerability in third-party systems, libraries, and codes, the company will guide the researchers to report them to appropriate parties. This can be through either the use of third parties such as the CERT/CC.  Reporting third party to our institution, we may also report the issue through the institution’s supply chain, but not to third parties.

This is since this can help improve responsiveness by the supplier of the product or the software.

• In addition to reporting the violations directly to the organization, other potential vulnerabilities associated with any software or a product listed with any organization that is not associated without a firm should be reported to the software or product directly.
• Our organization currently does not pay bounties or maintain a “hall of fame” for vulnerability reports.
• It should be noted that our organization supports security researchers that only act in good faith.
• The company believes that well-intentioned security research helps in improving patient safety and the overall effectiveness of the hospital.
• Our company does not intend to take any legal action against any researcher who appears to be acting in good faith.
• The company considers the research conducted under this policy to be either authorized or exempt. Authorized means it is in the view of amicable anti-hacking and anti-circumvention laws in lace. On the other hand, it is exempt from conflicting restrictions in documenting the governing of our score digital assets as indicated in the scope.
• Every party is expected to comply with the applicable laws. If any third party takes action against a researcher and finds that the research was conducted in compliance with our policy, our company will ensure to provide this policy. For the avoidance of doubt, our company will nevertheless not be liable for any liability or costs associated with the legal action by any third party.
• At any given point, if a researcher has a concern or is uncertain on whether the security research is in line with our policy, there will be a need for him/her to submit a report through our official channels before getting any further with the research.

What is expected of the researcher

It is expected that the security researchers are encouraged to undertake vulnerability research. However to be able to differentiate between  legitimate research and malicious activity , there is  a need for the researchers to :

1. Follow all the rules and policies in place and any other agreements that have been set forth by our company. This is to ensure that he is conversant with what is expected of him , a factor that will raise the likelihood of his/her submission on vulnerability accepted.
2. That they comply with all and any applicable laws (local, state, and international)

• Report any potential vulnerability discovered.

1. Protect the confidentiality and details of any vulnerabilities
2. If a vulnerability has provided unintended access to data, then the researcher will need to:

• Ensure that they limit the data amount access to a minimum to demonstrate a proof of concept effectively.
• Stop testing and immediately make a submission of a report  in the event they encounter any user data in the course of testing. The user data may include Protected Healthy Information and Personal Identifiable Information, among others.

1. At all times, use official channels in discussing the vulnerability with the company

• Preform testing only on in score digital assets
• Always respect the assets and activities that are out of scope

1. Always limit the interactions when testing accounts, they own
2. Always ensure that they use accounts when they have the explicit permission of the account holder
3. Notify our company when you have the plans of making a public disclosure which will include the methods and timing.

• Not at any given point should they engage in extortion
• Protect the confidentiality and details of any vulnerabilities. There are many ways that can be used to ensure that there is confidentiality of First is to ensure that one limits the disclosure of those who need to know . There will also be need for sue of appropriate  contractual protections such as non-disclosure agreements as a way of preventing any leakages.  There will also be  the need to establish suitable  security measures  such as setting firewalls, encryptions and anti- hackers to protect the information from leaking to the public. A researcher will need to ensure that all these measures together with implementing appropriate procedures are in place as a way of avoiding leaking the vulnerabilities to unintended parties.

What you can expect from our company

Once your work in accordance with our policy and the rules and regulations, this is what you can expect from our company:

1. A response to any submissions made within ten days
2. Maintenance of a productive dialog
3. Working with you to help you understand and validate any report you make
4. Ensure that any validated vulnerabilities are addressed promptly
5. Constantly update on progress and notify even the company believes that it has discussed efficiently any underlying issue

Reporting a vulnerability can be done by sending a message through our email addresses or using our website. When reporting, a researcher is asked not to abuse the reported vulnerability (Pupillo, 2018). This can be in form of downloading more than necessary data to demonstrate vulnerability, deleting any part of the system or data. Reporters are also asked to exercise caution and ensure to restrain from accessing any personal data. They need to ensure that they do not intentionally engage in any forms of attacks against the third parties, deny service tasks, or in any way causing a nuisance to the other users.

How to submit the vulnerability report?

There is a need to submit a high-quality report to get feedback from our organization team.  Some specific issues and elements must be a part of the report to ensure that they demonstrate the quality of the vulnerability.  Any reports that are of low quality will be closed and not attended to.  This is the recommended format that will be accepted once submitted through our email or website:

1. The affected target, feature, and/or the URL
2. A comprehensive description of what the problem entails

• The impact of the issue on the company, the users, or any other party

1. The specific steps to reproduce
2. A proof of concept
3. Fill in whether the knowledge of the issue is currently public or no one knows about it

Eligibility and Disclosure

To submit vulnerability to be eligible, a researcher will need to agree on the vulnerability disclosure policy. He/she must confirm that he/she is the first person to responsibility confirms an unknown issue. Once the report is sent to our organization, then the legitimate reports will be reviewed and evaluated by our company’s technical and security, who will then determine whether the report is eligible or not (Tucker, 2018). The disclosure may take lace either privately or publicly . For the private disclosure , the vulnerability will be reported discreetly to the firm . The firm may choose to publish the details or not , but will be at its discretion (Kranenbarg, Holt, & van der Ham, 2018). Details of the private disclosure may never be made public at any given point. On the other hand, for the full  disclosure  , all details of the vulnerability may be made public as soon as they are identified.  For the full disclosure, the full details are made public to everyone including potential attackers , where in this case the patch is often available.

Privacy Policy, Restrictions, and Taxes

Our organization ensures to maintain both a privacy and transparency report. As mentioned in the company’s privacy and security policy, our institution’s websites and services are not to be used by anyone who is below the age of 18.  This is due to the Children’s privacy protection Act, which does not permit the company to accept any submissions made by children (Tucker, 2018). Therefore, reports which are below 18 are not eligible to receive any award after making a vulnerability report.  However, the company may find another way of recognizing such an effort.

The vulnerability report program is not open to people in the countries that are sanctioned by the US. The decision for the company to pay the rewards to persons who have eligible reports is at the company’s discretion.  To get a bonus one, must ensure that he/she abides by the law without failure.  He/she is supposed to be responsible for any tax implications or any additional restrictions which solely depend on the countries and local laws.  The company holds the right to cancel the program at any time it wishes. Our organization’s employees and family members are not supposed to undertake any vulnerability reporting and are not eligible for any rewards.

The researchers will need to ensure that they consistently conduct their activities with our policy and consider authorized conduct. Failure to do so could lead to the initiation of legal action against them. However, if a third party initiates the legal action, yet the researcher was doing it in line with the policy, we will ensure to undertake steps that make it known that his/her activities were conducted in compliance with our policy. Researchers who report for vulnerabilities once paid by the company will be responsible for paying any taxes associated with the reward.  The organization has the right to modify the terms of the program or even terminate the program at any time it wishes.  Any of the changes to the program will not be made retroactively.  The people prohibited by the law to make such reports are ineligible for rewards or even reporting vulnerabilities.

Submission preferences and prioritizations

Vulnerability reports will be beneficial to the institution only if they:

i.                 Are strictly fact-based and ensure that they are concise

ii.                Include ow the researcher found the vulnerability, its impact, and most suitable remedial suggestions

iii.              Have a proof of concept code that helps diagnose the root causes as fast as possible. This may include cramp dumps and automated tools, which are essential. They also need to be accompanied by a code or be clearly defined with states that focus on reproducibility, making them very valuable to the organization.

iv.              For videos are acceptable but have to be supported by proof of concept and reproducibility steps. The organization dramatically discourages any form of video that does not have any supporting materials.

v.               Submissions need to be done in English. However, no submissions at any given point will go unattended, even in another language.

            As much as it encourages good faith reports, our organization seeks to categorically state that it has control over the other third parties. However, in suitable times, the organization will involve third parties in issues regarding vulnerabilities and reports as responsibly as possible.

Policy attributes

The vulnerability  policy has several policy attributes, which make it be in line with  the company culture and vision:  They include

1. Promise

The policy demonstrates a clear and reasonable faith commitment to the clients and other key stakeholders, which the vulnerabilities of securities may potentially impact. This is since all the aspects of the CVD are in line with the vision and mission statement of the organization, where the primary commitment is to the security, customers, and other key stakeholders (Kranenbarg, Holt, & van der Ham, 2018). The CVD ensures statements on why the policy was created and what it is expected to accomplish.

2.     Scope

 The scope is well laid out and ensures that it indicates the theme of products and services which are vulnerable. It also depicts what the company will need researchers to continually report on vulnerabilities to help maintain the security of the company systems both what is in the scope and what is not are well laid out.

3.     “Safe Harbor”

The CVD policy of the company assures all the reporters that as long as they have good faith, they will not be unduly penalized. The reporters are assured that no legal action will be undertaken from the policy statement if they abide by the set rules and regulations and are in good faith.  The policy clarifies that any individual willing to participate in vulnerability research if they mean well for the company is safe and may even get a reward if their report is eligible.

4.     Process

Another attribute of the policy is the explanation of the entire process of reporting a vulnerability.  It states the steps to undertake for the researchers to submit their reports and ensure that they are eligible. If any reporter reads the processes in the policies, he/ she will quickly understand how to easily approach the company and submit his /her vulnerability report.  It is essential to note that finders of the vulnerability are unpaid but may be awarded if they explain various vulnerability reports and help the company with important information.  This means that they need to follow the procedures to ensure that they have structured data and follow the guidelines and policies.

5.     Preferences

 This is the final attribute of the policy, where it examines whether the; policy is clear on issues such as submission and initial response. All these issues are addressed in the policy, where issues such as change of the processes, days of submissions, and replies by the organization team are included.

A  CVD Procedure based on the policies

Content

After highlighting the policies, there is now a need to understand the procedures that the researchers and reporters will need to report the vulnerability reports to our company. The procedures entail the scope, the time limits, the ways of maintaining contact, and filing re[orts to the organization.

Scope

• It should be noted that the CVD processes are in place to the reporting of any likely threats or system hitches or likely hitches that can affect the systems of our organization
• The reason for reporting is to help safeguard the privacy and security of the users of the system and ensure that the organization is saved from incurring losses resulting from the hitch or attack.
• Reporting the vulnerabilities does not necessarily mean that the company will pay the researcher since it has to align with the set policies.
• Researchers need to ensure that they are; eligible before making a report.
• Following the correct procedures will ensure that the researchers get it right in reporting. Our organization’s technical and security team will take their reports as a serious issue and a matter of urgency.
• Once they clarify the research, the reporter will likely be accorded an award that may include a monetary token of appreciation.

Procedures

The goal of the CVD program will be to ensure that vulnerability reporters have a straightforward process of sharing crucial information regarding a threat or any issues related to the company system.

Contact information and CVD submission process

The first submissions process will include presenting the vulnerability report or any company email provisions or submitting the website. The researcher will be required to refrain from having sensitive information such as PHI, PII as part of the submission to ensure the security or privacy of the user is protected. In the course of the proposal, the following will need to be provided: Contact information which includes name, email address, phone number, home address, and a contact person. This is to be followed by the date and method of discovering the vulnerability, which will help analyze the legibility of the report.  There will then be a need to describe the potential vulnerability, including the product name, version number, and configuration details.  The reporter will then need to submit the steps of reproducing the vulnerability, including tools and methods m, exploitation code, and privileges required.  Finally, there will be the need to provide the results and the likely impacts of the vulnerability.

What happens next

Upon receiving the vulnerability report, the organization’s security and technical team will acknowledge the receipt within ten business days through an email or a phone call.  They will then work together through a well laid system to evaluate and validate the research findings.  The first process will be to collect the vulnerability report, which will be done in three ways. First, there will be the evaluation of the vulnerability information to establish that it is eligible for the following process. This will be followed by monitoring of public sources with the aim of understanding whether there is other vulnerability information related to this is public. The third way will be to assess whether there are direct reports of a similar vulnerability with the security system.  After receiving the information, the security departments will perform an initial analysis of accessing the vulnerability and comparing with other existing reports to identify any likely duplicates. This will then be followed by cataloging the vulnerability reports, including all known information regarding the vulnerability.

The second process will entail an in-depth analysis of the vulnerability. After cataloging the information, there will be a need for a team to work and understand the vulnerabilities by examining the technical issues and assessing the potential risks the vulnerability represents.  The third step will involve mitigation coordination. This will entail working together with technical and security teams to establish the best mitigation techniques for dealing with the vulnerabilities (Tyzenhaus, 2018).  The process will entail developing programs and software that can protect the system against any threats presented by the vulnerabilities identified.

The fourth stage will include the application of the mitigation. The teams will ensure that they facilitate time for the faced end users to obtain, test, and apply mitigation strategies before having a public disclosure of the new measures undertaken. Finally, there will be the disclosure stage. This will coordinate with the affected stakeholders and the teams to notify users about the vulnerability while using multiple channels.  The organization will strive to disclose accurate, neutral, and objective information focused on technical remediation and mitigation.

After analyzing the report, the company will  contact the reported to either request additional information needed or to advise on the right next course of action. This may include rewarding him/her for helping the company in protecting its systems and its users. However, in some events, a reporter who may have done an illegal act or failed to adhere to the policies may be summoned for a lawsuit for action since this would comprise the system’s security and users.

Disclaimer

All the vulnerability reporters must be aware that our institution greatly protects our customers’ health, well-being, and safety, and personal information.  Wen conducting the security research, they will need to consider the consumer, the end-user, a top priority and ensure that all his/her data is safeguarded, failure to which it might expose him/her.  The researcher is expected to avoid any actions that would cause harm to the patient or the institution’s products (Householder, Wassermann, & Manion, 2017).  It is also essential to note that vulnerability testing could also negatively impact a product. It is, therefore, crucial to avoid testing on active products in a clinical setting. Likewise, it is not advisable to use products subjected to security testing and not be used in a clinical setting.

In case of any doubt, the researcher should always communicate with our organization to ensure that nothing goes wrong in his vulnerability testing process.  It is also to be noted that our organization reserves the right to modify its coordinated vulnerability disclosure process at any given time. The firm does not need to notice its modification and can make exemptions on a case-by-case basis.  The firm also does not guarantee any particular levels of response on the issue.  However, in the event of a vulnerability, the firm promises to acknowledge and attribute recognition to the researcher who has reported the vulnerability. There is always the need to ensure that when researching a vulnerability, ensure that all the guidelines and policies are fowled to the latter to avoid any future conflicts and disagreements with the organization, leading to multiple lawsuits.

Disclosure Timeline

The time frames for mitigation development and schedule disclosure could be affected by multiple factors.  Some of the factors likely to affect the time; line include threats of a severe nature, active exploitation, and or situations that would require changes to the established standards (Kranenbarg, Holt, & van der Ham, 2018). Other factors may consist of if the vulnerability has already been publicly disclosed, e.g., published by a researcher. Another reason may be the potential impact of acritical infrastructure that may be interfered with the system. The issue of national security in the system may also significantly affect the time frame for mitigations since the organization has to abide by the laws.  Other factors may include public health or safety, which has to be protected at all costs. When there is an availability of effective mitigations, the team’s responsibility for developing either an update or a patch could also derail the disclosure timeline.  Finally, an estimation of time by the researcher on obtaining a test and applying a patch could be wrong, leading to more derailment of the timeline.

After the disclosure takes place, the organization has the mandate to recognize the researcher and publish his/her name in the publications or media to acknowledge his/her efforts. He/she may also be constantly get updated on the progress of the mitigation efforts and may be called to help the organization in case his/her expertise is needed.

References

Householder, A. D., Wassermann, G., & Manion, A. &. (2017). The cert guide to coordinated vulnerability disclosure. Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States.

Kranenbarg, M. W., Holt, T. J., & van der Ham, J. (2018). Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure. Crime Science, 7(1), 1-9.

Pupillo, L. (2018). EU Cybersecurity and the Paradox of Progress. CEPS Policy Insights No 2018/06, February 2018.

Pupillo, L., Ferreira, A., & Varisco, G. (2018). Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018.

Tucker, L. (2018). VULNERABILITY DISCLOSURE POLICY BASICS: 5 CRITICAL COMPONENTS. Retrieved from https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components

Tyzenhaus, L. (2018). Coordinated Vulnerability Disclosure. Carnegie Mellon University Software Engineering Institute Pittsburgh United States.

Woszczynski, A., Green, A., Dodson, K., & Easton, P. (2020). Zombies, Sirens, and Lady Gaga–Oh My! Developing a framework for coordinated vulnerability disclosure for US emergency alert systems. Government Information Quarterly, 37(1), 101418.