Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

UK NCSC releases the Vulnerability Disclosure Toolkit

The British National Cyber Security Centre (NCSC) released a guideline, dubbed The Vulnerability Disclosure Toolkit, for the implementation of a vulnerability disclosure process. The UK National Cyber Security Centre (NCSC) has released a guideline, dubbed The Vulnerability Disclosure Toolkit, on how to implement a vulnerability disclosure process. The guidelines highlight the importance for any organization […]

UK London councils

The British National Cyber Security Centre (NCSC) released a guideline, dubbed The Vulnerability Disclosure Toolkit, for the implementation of a vulnerability disclosure process.

The UK National Cyber Security Centre (NCSC) has released a guideline, dubbed The Vulnerability Disclosure Toolkit, on how to implement a vulnerability disclosure process.

The guidelines highlight the importance for any organization to encourage responsible bug reporting through specifically-defined processes.

A vulnerability disclosure process could help organizations in rapidly address vulnerabilities reported by experts and bug hunters to reduce the risk of compromise.

“The international standard for vulnerability disclosure (ISO/IEC 29147:2018) defines the techniques and policies that can be used to receive vulnerability reports and publish remediation information. The NCSC designed this toolkit for organisations that currently don’t have a disclosure process but are looking to create one.” reads the guideline.

Receiving vulnerability reports reduces the risk that flaws are discovered by adversaries and exploited in attacks in the wild, and improve the security of the products or services of the organization.

“Having a clearly signposted reporting process demonstrates that your organisation takes security seriously. By providing a clear process, organisations can receive the information directly so the vulnerability can be addressed, and the risk of compromise reduced.” states the document. “This process also reduces the reputational damage of public disclosure by providing a way to report, and a defined policy of how the organisation will respond”

The guideline is organized into three main sections, Communication, Policy, and Security.txt. The process for communicating a vulnerability must be clear and well defined, it could be useful to set up a specific path for disclosing the issues (email address or secure web form).

The use of security.txt standard could help to create an easy-to-find section of websites where it is possible to find the contacts and the policy.

The file contains two key fields, “CONTACT”, which includes references to report the flaw (i.e. email or secure web form) and POLICY, a link to the vulnerability disclosure policy of the organization.

The NCSC provided recommendations on how to respond to vulnerability disclosure, for example, it suggests to never ignore any reports and suggest companies to avoid forcing the finder to sign a non-disclosure agreement “as the individual is simply looking to ensure the vulnerability is fixed.”

Another crucial aspect of the Vulnerability Disclosure Toolkit is the policy, it must be clear and have to allow organizations to define expectation from vulnerability reports and their response. It is essential to enable the organization and the finder (the expert who reports the flaw) to confidently work within an agreed framework.

The release of “The Vulnerability Disclosure Toolkit” is just a part of the efforts of the UK Government in the definition of national legislative frameworks.

“Equally, going forward this requirement will be embedded into legislative frameworks. The UK government is currently developing legislation that will require manufacturers of smart devices to provide a public point
of contact as part of a vulnerability disclosure policy. This is also a requirement for other international efforts on smart device security including the standard EN 303 645″ concludes the guide.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Vulnerability Disclosure Toolkit)

[adrotate banner=”5″]

[adrotate banner=”13″]