It’s like a bug bounty programme – but without the bounty, yet.
Security researchers who find vulnerabilities in UK government web services can now report them directly to the National Cyber Security Centre (NCSC), rather than wondering who to tell – and whether they’ll get prosecuted for doing so.
That’s according to “Ollie” the NCSC’s vulnerability disclosure lead, who announced a new vulnerability reporting service in a blog published on Thursday.
The service acknowledges the “crucial role security researchers play in helping to secure UK government web services”, he wrote.
“The quickest way to remediate a security vulnerability is to report it to the system owner. However we appreciate that it can be hard to find the right contact, so researchers can now report the vulnerability to us.”
NCSC Vulnerability Reporting: Pilot Bug Bounty Programme Also Live
Along with direct disclosure, it has also launched a pilot bug bounty programme through HackerOne, albeit sans bounty.
“We are keen to show our appreciation by issuing HackerOne reputation points to those that disclose”, the NCSC writes.
“Having a mature and co-ordinated vulnerability disclosure process helps decrease the risk of an incident occurring”, Ollie adds.
The pilot’s aim is to identify the best way to help fellow government organisations establish a vulnerability disclosure process. HackerOne has been selected as the bug bount platform provider and NCC Group as the assessment partner.
The work my company @LutaSecurity is doing w @NCSC to ensure they are following vulnerability disclosure best practices is highlighted in a new blog by Ollie, the UK gov technical lead.
"The quickest way to remediate a security vulnerability is to report it to the system owner." https://t.co/Gx3l4b4xPO
— Katie Moussouris (@k8em0) December 19, 2018
Vunerability disclosure authority Katie Moussouris’s Luta Security has been supporting the NCSC to ensure it is following industry best practice.
What is HackerOne?
HackerOne allows organisations to get their networks and applications tested for cyber vulnerabilities – via its centralised platform – by a largely freelance coterie of hackers. Those that can demonstrate success exploits typically earn cash.
The UK arguably lags the US somewhat in this regard. The “Hack the Pentagon” crowd-sourced security programme with HackerOne launched in 2016 and has resulted in the resolution of over 3,000 security vulnerabilities thus far.
The US’s Hack the Army programme in December 2016 surfaced 118 valid vulnerabilities and paid out $100,000. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000.
Chris Wallis, founder of Intruder, told Computer Business Review: “It’s great to see the NCSC rolling out a vulnerability disclosure programme for the U.K. Government. No organisation can hope to secure every last piece of the puzzle, so these programmes are now a crucial step for any mature cyber security operation. Many security researchers will delight in the kudos of finding weaknesses in Government systems, although for some there will remain the temptation to sell vulnerabilities to the highest bidder, especially while no monetary rewards are on offer.”
Disclosures Exempt from Equities Process
It was referring to a recent publication that detailed why and when UK intelligence services choose not to disclose vulnerabilities in software.
With regard to the bug bounty programme, Charl van der Walt, Chief Security Strategy Officer for SecureData Europe, earlier told Computer Business Review: “Bug bounty programmes have absolutely been a good thing.”
“They’ve given the offensive side of the fence a way to cleanly monetise vulnerabilities – selling on the black market is tricky; how do you know you’re not selling to a cop? – and generated a lot of really useful data.”
He added: “I was recently asked if participating is a bit like ‘painting a target on your head’. The short answer is no: there is no way of staying under the radar.”
“The bad guys will find you anyway. And these programmes can also really motivate a company: CISOs rarely get enough attention and participation seems to galvanise executives; things start happening that never did before.”