Today’s columnist, Kathleen Trimble-Noble of Intel, offers insights into what makes for a good hardware-based bug bounty program. Intel ranked No. 4 in HackerOne’s 2020 list of Top 10 public bug bounty programs. IntelPhotos CreativeCommons Credit: CC BY-NC-SA 2.0

Coordinated Vulnerability Disclosure (CVD) has become a critical aspect of security today. This practice protects technology users by timing mitigations with the public disclosure to reduce the opportunity for cyber criminals to exploit unresolved vulnerabilities. The process improves collaboration with researchers and affected technology companies for developing mitigations and sharing their findings. The cumulative benefits are broader industry resilience to common weaknesses, more secure products, and heightened public awareness and confidence.

When executed properly, CVD can reduce the chances of actual exploits, but success isn’t guaranteed. There are several main categories of security vulnerabilities and associated CVD programs. Digital services issues revolve around website vulnerabilities, such as those found in the OWASP Top Ten. And software vulnerabilities are design bugs or coding weaknesses in software platforms. These two categories are what people most often think of when they hear CVD, and can generally be addressed through code revisions and pushing updates. Hardware weaknesses and industrial control system (ICS) vulnerabilities are more challenging to mitigate and disclose due to the complex supply chains, various dependencies, and age of the systems involved – and thus are even more critical to address through CVD.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.