The GCSB said agencies should establish a process that would allow members of the public to report potential software vulnerabilities or other security problems.

Under the new mandate, each agency will be responsible for creating its own policy, based on the sensitivity of the information it holds, the security measures already in place, and its ability to segment its network or otherwise segregate sensitive information. Vulnerabilities should be patched, mitigated, or managed within 90 days.

This move by the New Zealand government is in line with global best practices for cybersecurity and helps standardize the policies to create clear pathways for ethical hackers to submit and communicate about potential vulnerabilities.

Government Communications Security Bureau (GCSB) offers guidelines on how to develop and publish VDPs, and how vulnerabilities should be disclosed and mitigated.

So what do you do now? Here are some steps you should start today to comply with this directive while effectively reducing the risk to your internet-facing technologies.

The GCSB has some requirements, ranging from adding a security contact email address to developing vulnerability handling, disclosure, and reporting processes. It’s a lot to do, especially for those starting from scratch.

A VDP will typically include:

A good Vulnerability Disclosure Program (VDP) makes it easy for researchers and ethical hackers to report any vulnerabilities they find.

However, implementing a good VDP can be challenging. If policies are poorly written or processes are cumbersome, it can increase your agency’s risk or waste resources.

Your security team needs to be ready to handle many reports and quickly sort, route, and communicate with reporters and development teams. Any issues along the way could make security researchers unhappy or put your security at risk.

It is important to involve all stakeholders from the beginning, not just security, IT, and web development teams. Other teams such as Legal, Communications, and Operations may be affected by a security gap or want to know about security efforts.

At Capture The Bug, we provide many tools to help you create an effective VDP. We offer a complete platform for deploying a VDP and managing the entire process, including reporting, communication, and mitigation. Our platform can be integrated with your existing security and collaboration tools.

Responsible disclosure is a process based on trust. In the past, ethical hackers have been hesitant to notify organizations of potential vulnerabilities due to threats of legal actions. However, more organizations are now recognizing the power of collective intelligence and public VDPs.

Nonetheless, researchers still fear the potential legal repercussions unless the VDP clearly commits to not penalizing those who report potential vulnerabilities in good faith.

This statement is typically the opening section of a well-written VDP. It is simply a statement that explains the agency’s commitment to security and invites researchers to submit vulnerabilities.

The opening statement for the Ministry of Social Development is as follows: “The Ministry of Social Development (the Ministry) takes the security and privacy of our information seriously. If you identify a security issue with our systems, please let us know so we can address it.”

This section provides information on vulnerability disclosure for all externally-facing agency systems, including public-facing systems.

When determining which systems, applications, and data fall within the scope of a vulnerability disclosure program (VDP), agencies may consider the following:

Capture The Bug can assist agencies and organizations with creating and articulating their VDP, including defining and publishing what is in and out of scope.

While the scope defines the properties covered by your VDP, it also defines the rules of the game for ethical hackers.

Once a potential vulnerability is found, the real disclosure and mitigation process begins. When security risks in agency services are discovered and reported to the agency, it is vital that a robust communication channel is available to receive the report.

To facilitate a clear process, GCSB requires that agencies provide a description of how reports are to be sent, detail the information to be included with the report, and allow for a statement that reporters may submit.

But this is just the first step in a long process of triage and remediation. You’ll need to assess, prioritize, mitigate, and address incoming vulnerability reports.

Capture The Bug helps agencies of any size manage the publishing and facilitation of a VDP effectively. This includes articulating a policy to meet your agency’s unique needs and building a streamlined process to comply with the new GCSP mandate.

Capture The Bug can help you establish a Vulnerability Disclosure Program (VDP) that allows you to achieve compliance with minimal operational disruption. But more importantly, we can guide you on your end-to-end strategy. With Capture The Bug, you can craft a VDP, report on program statistics and specifics, and create a strategy that’s right for your organization.

Capture The Bug delivers community-powered security solutions with efficiency and effectiveness.

The GCSB mandate is an effort to improve overall security. Don’t waste the expense and opportunity to maximize the security benefits of this new program. Capture The Bug offers testing that conforms to your agency’s needs, helps integrate vulnerability reports with your existing processes, and facilitates access to the world’s largest community of security researchers.

With Capture The Bug, you can comply with GCSB, improve your security, and do it all with minimal operational disruption. To learn more, visit capturethebug.xyz or send a message to hello@capturethebug.xyz to speak with one of our expert.