Don’t hate the hacker - hate the vulnerability!

Organizations need to be ready to receive and act on reports of security problems, not ignore them

Today, HackerOne (where I am the Chief Policy Officer) released the Vulnerability Coordination Maturity Model, which is designed to help organizations improve the way they respond to reports about security holes in their software or services. It was created as a benchmarking tool for organizations to self-assess their capabilities, and build a roadmap to improve their vulnerability coordination with both security researchers as well as other partners and stakeholders.

The maturity model is organized around five capability areas that determine an organization’s maturity level with respect to vulnerability coordination, such as whether the company is organizationally set up to receive reports by having either a “” email address or a form, and how it handles vulnerability reports from there.

The Vulnerability Coordination Maturity Model describes several key activities in each capability area that range from basic to advanced to expert. The greater the investment in any particular area, the greater the potential ability to use the information about software bugs to help make current and future software more secure proactively.

No software is immune to bugs. For most organizations it’s not a matter of if they’ll have an external party reporting security vulnerabilities, but when. Being able to properly handle vulnerability reports means organizations will find and fix issues faster.


Katie Moussouris is a fellow in the Cybersecurity Initiative. She is the founder and CEO of Luta Security, the only company offering gap analysis and guidance on ISO 29147 vulnerability disclosure and vulnerability coordination program implementation.