Sept. 22, 2015
Today, HackerOne (where I am the Chief Policy Officer) released the Vulnerability Coordination Maturity Model, which is designed to help organizations improve the way they respond to reports about security holes in their software or services. It was created as a benchmarking tool for organizations to self-assess their capabilities, and build a roadmap to improve their vulnerability coordination with both security researchers as well as other partners and stakeholders.
The maturity model is organized around five capability areas that determine an organization’s maturity level with respect to vulnerability coordination, such as whether the company is organizationally set up to receive reports by having either a “firstname.lastname@example.org” email address or a form, and how it handles vulnerability reports from there.
The Vulnerability Coordination Maturity Model describes several key activities in each capability area that range from basic to advanced to expert. The greater the investment in any particular area, the greater the potential ability to use the information about software bugs to help make current and future software more secure proactively.
No software is immune to bugs. For most organizations it’s not a matter of if they’ll have an external party reporting security vulnerabilities, but when. Being able to properly handle vulnerability reports means organizations will find and fix issues faster.