HackerOne released a new tool designed to help organizations improve the way they respond to reports about vulnerabilities in their software.
The Vulnerability Coordination Maturity Model (VCMM) was created as a guide that companies can use to learn what the best practices are for vulnerability response, measure how they compare to others, and take actions that will help them address issues before bad actors can exploit them.
Anyone can assess their vulnerability coordination maturity by going to HackerOne and answering a set of questions.
The VCMM is organized around five capability areas that determine an organization’s maturity level with respect to vulnerability response, including whether the company is organizationally set up to receive reports by having either a “email@example.com” email address, or via a form, and what actions the organization takes when a report is made.
Historically, security researchers who found vulnerabilities either couldn’t find a way to report a security issue to a company, or if they reported issues, may have been threatened with legal action.
Armed with the VCMM, organizations have a free, practical resource to aid in establishing and improving the response to vulnerability reports and the coordination with security researchers, customers and partners.
“No software is immune to bugs; for most organizations it’s not a matter of if they’ll have an external hacker reporting security vulnerabilities, but when,” said Katie Moussouris, chief policy officer, HackerOne. “This maturity model shows how to build muscles and reflexes in vulnerability coordination to improve the security of an organization’s software, and the outcome for all parties when vulnerabilities are disclosed.”