Let’s first define what we’re talking about when we refer to these NIST controls. NIST 800-53 is a popular framework for security programs globally and also acts as the baseline control set for the U.S. Federal Government’s FedRAMP program. In 2020, The National Institute of Standards and Technology (NIST) released its latest revision 5 (rev 5) to the 800-53 standard. This repositioned the standard to emphasize risk-based outcomes of an overall security program versus rating the impact of individual controls. We’re talking about this again now because the FedRAMP Project Management Office (PMO) recently provided guidance around how rev 5 will be incorporated into the FedRAMP audit framework in 2024, so the clock is ticking for organizations to get their plan in place.
In rev 5, NIST introduces a brand new control, RA-5(11), which requires SaaS vendors to “Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components”
The NIST guidance further recommends that:
“The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.”
Essentially, organizations must truly embrace the open nature of public vulnerability reporting. Ethical hackers who report vulnerabilities in good faith should be welcomed and organizations must be given a specific time frame in which to properly remediate those vulnerabilities. This latest revision moves us much closer to a true “see something, say something” mindset that is accepting of any vulnerability report from the public.
In essence, the guidance is talking about a “Vulnerability Disclosure Policy,” which typically includes the following elements:
- Promise: Demonstrate a clear, good-faith commitment to customers and other stakeholders potentially impacted by security vulnerabilities;
- Scope: Indicate what properties, products, and vulnerability types are covered;
- Safe Harbor: Assures vulnerability finders that they will not be unduly penalized or prosecuted if they follow the policy;
- Process: Outlines the process that finders should use to report vulnerabilities; and,
- Preferences: A living document that sets expectations for preferences and priorities regarding how reports will be evaluated, including timeline expectations.
To see an example of what a live VDP looks like, you can view HackerOne’s own policy.
With NIST’s new VDP control, organizations need guidance on what makes a strong VDP and how to evaluate those strengths to prove a best-in-class program. During a recent rev5 guidance call with the FedRAMP PMO, we asked, “With RA-5(11) being a net new control across the impact levels, how will that control be assessed?”
The PMO responded by pointing to the White House’s memorandum on this topic posted in 2020 — M-20-32. This document does a good job of outlining some of what we call out above, but not necessarily the specifics around how to evaluate it.
So, here we are back to square one, and you are likely asking, “Yeah — so how do I do that?”
As mentioned above, HackerOne offers VDPs as part of its own broader product offerings and regularly advises customers on industry best practices and what makes a good policy. We also carry our own FedRAMP Authority to Operate (ATO), and have experience with the FedRAMP auditing process. With that in mind, we think everyone, including auditors, should be asking the following questions:
1. How Easy/Difficult Is the Policy to Find?
Generally speaking, you should be able to use a search engine to search for “COMPANY_NAME Vulnerability Disclosure” and quickly locate said policy. In addition, a VDP should be easily discoverable via the website’s navigation, whether that be part of a security page, privacy page, or part of the main footer.
2. How Consistently Is the Policy Followed and What Metrics Are Tied to it?
For example, if the policy sets out a timeframe to respond to an initial submission, is the company following it? Are they actioning on submissions, and how quickly? For those looking for additional reading, see HackerOne’s prescribed turnaround and resolution times.
3. What Assets Are in Scope?
This is a big one. All of the company’s digital assets should be in scope. A greatly limited scope results in fewer vulnerabilities and detracts away from the “see something, say something” mindset. We recognize there may be exceptions to this rule, but these should be well thought-through, and few and far between. If this is part of a FedRAMP audit, an auditor should be looking to see whether or not FedRAMP assets are included in scope. If they are out of scope, you should be asking why.
4. What Types of Findings Are in Scope?
This is an opportunity for the VDP to offer context around what vulnerability findings are considered most important to the organization, and what type of testing is allowed under the policy. Ideally, any type of finding should be in scope, but we recognize that at times this may not always be possible. An example of a finding that may be deprioritized are findings related to third-party assets.
5. Is There a Promise of Safe Harbor for Reasonable Submissions?
Safe Harbor refers to the company’s willingness to absolve (read: not prosecute) any ethical hacker who follows industry standards and submits a discovered vulnerability. In May of 2022, the U.S. Department of Justice put out a revision stating that those who submit “good-faith security research should not be charged.”
A lack of a Safe Harbor provision essentially invalidates any VDP, since nobody will want to submit vulnerabilities for fear of prosecution. Safe Harbour also provides the company legal protections around the allowance of ethical attacks.
As the leading expert in vulnerability disclosure, HackerOne has spent extensive time researching and consulting on this topic so that you do not have to. The HackerOne platform defines the Gold Standard Safe Harbor, which provides all parties the best protections afforded.
6. Is the Preferred Method of Contact Easy to Follow?
Nobody wants to call a 1-800 number, submit their birth certificate, and sign a 90-page contract before being able to submit a vulnerability. The recommended methods of contact for a VDP are a group email address, a submission form on the website, or a submission form on a platform. You should design the form for this use case and include few requirements or legalese that would put off a possible report.
Stay On Top of the NIST VDP Control
This conversation will continue to evolve over time as Federal Program Management Office and industry leaders continue to update the guidance. HackerOne will monitor the situation and update our own insights as the situation evolves. We encourage you to bookmark this page to keep up with the latest developments. You can also contact us with any questions. We’d love to sit down with you to understand your needs and how we can help.