A security researcher has welcomed the UK’s launch of a vulnerability co-ordination pilot while cautioning that a strategy for handling Freedom of Information requests needs to be developed.
The National Cyber Security Centre (NCSC) scheme will focus on handling vulnerabilities that crop up in government-run systems. The proposed framework is built around an established international standard for vulnerability disclosure, ISO/IEC 29147:2014.
In the past conversations between security researchers and government bodies have been handled through GovCert and CERT-UK. “The disclosure process has never been quite as smooth as we would have wanted,” the NCSC admitted in a blog post.
The new method aims to provide faster and more efficient triage on reports of security flaws consistent with what the NCSC describes as Active Cyber Defence. This will mean a redesigned approach, which will be tested through a pilot programme.
“Over the next few months we will be working with an invited group of UK-based security practitioners to help us to identify and resolve vulnerabilities across three publicly facing systems used in UK Public Sector. To help us get this right we are working with LutaSecurity for advice and will look to use a recognised platform for vulnerability co-ordination.”
Steve Armstrong, a pen tester and former lead of the RAF’s penetration and TEMPEST testing teams, welcomed the strategy.
“Government is recognising that more services online means more risk and more customer exposure,” Armstrong told El Reg. “One thing that government has a bad history is connecting the right people to the information.
“It will be interesting to see how many reports they get and how fast they handle them. From an Operational Security (OPSEC) viewpoint, I wonder how long it will be before they get their first FOI [freedom of information] request and it will be interesting to see how they handle them.”
Armstrong warned that FOI requests could undermine the programme by creating an environment where vulnerabilities are treated as fodder for news stories rather than flaws that ought to be swiftly and discretely resolved.
“I can almost see the waves of ‘How many critical vulnerabilities have been reported and how many are still outstanding?'” Armstrong said. “Hopefully the legal beagles have that nailed down so we don’t leak that info to those that would see us fall.”
Receiving vulnerability reports from the external security community needs to be supplemented by penetration testing, internal security reviews and patching, according to the NCSC.
The overall aim is to achieve an “effective, mature approach” to handle the disclosure of security vulnerabilities in public sector systems and services.
Alex Rice, CTO of HackerOne, a specialist bug bounty firm, also welcomed the UK government’s vulnerability disclosure plan.
“The success of DoD’s vulnerability disclosure programme has proven that they are an essential part of the strategy in the defence of even the most mission-critical systems,” Rice said. “We applaud the UK government in adopting this security best practice.”
Independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg that the NCSC is blazing a path he hopes “many other governments and CERTs” will follow.
“Having a formal vulnerability disclosure process is good for all involved,” Honan said. “Historically Computer Emergency Response Teams have helped co-ordinate disclosures but often these have been on best efforts. In addition, many CERTs do not have any authority or influence over private companies and if the vulnerability is not being treated with the right level of urgency the CERT and security researchers can end up frustrated with the overall process, often resulting in breakdown in relationships and the resulting negative impact on future vulnerability disclosure.” ®
UK vuln ‘fessing pilot’s great but who’s going to give a FoI? – The Register