Introduction

There is a need to develop vulnerability disclosure policies, which will address how a health care organization can respond to aresearchers report that aproduct contains a vulnerability. The assurance of the researchers is that they will not be prioritized unfairly for reporting the vulnerability. The health care organization n prioritizes the quality of the systemand ensures to have the best policies in the development lifecycle, where it willaddressvulnerabilities(Householder, Wassermann, & Manion, 2017).  There may be challenges to develop a CVD programdesigning repeatable procedures, and scoring the program to meet the organization’s technical capacity.  In the wake of increasingcases of vulnerability such as Heartbleed, a significanttechnologythreat, there is a need for any firm, more soa health care organization, to have a CVD program(Woszczynski, Green, Dodson, & Easton, 2020). This will help in ensuring that it gives submittingpotentially unknown and harmful securityvulnerabilities to an organization.

The CVD  will allow a precisecommunication mechanism for people to reportvulnerabilities in the firm’sproducts and services.  The CVD will not need to belong, but rather be none that contains the elements of promise. Scope, safe harbor, process, and preferences(Pupillo, Ferreira, & Varisco, 2018).  This particular CVD will ensurepromises and demonstrateclear and reasonable faith commitment to customers and other key stakeholderswhosesecurity vulnerabilities may impact.  For scope, the CVDwill indicate the property and products and the vulnerability types covered, for the process will entail the description of process finders on how to report vulnerabilities. For Safe harbor, theCVD will ensure that the reporters of good faithwill not be penalized.  Finally, the CVD will endure being a living document that will set the expectations for preferences and priorities on evaluating the reports.

Scope

Our Health organization seeks to be a leader in protecting our user’s security and privacy. Henceit has designed systemswith asecurity-first framework. The organization performs modeling resilience testing to acquire solutions and maintain a secure system through its IT sector. As a result, the organization welcomes security researchers who will inform the company of any vulnerabilities that could put the firm’s safety and security at risk.

The researchers also need to notify the company of any vulnerabilitythat could compromise the integrity, confidentiality, or availability of the organization’s systems.  The vulnerability disclosure policy aims to play out when the company interacts with other parties and informs of dialogue with any securityresearcher who may report any detailsof vulnerabilities(Kranenbarg, Holt, & van der Ham, 2018). The company intends to ensure that it has integrationmechanismsand well associateswithothers to protect the systems and ensure the safety and security of the users. The scope of the CVD program for the health care organizationentailsany security vulnerabilities that affect the technological sector of the organization. The following items will be within the scope for the CVD Program:

• The health organization authorizes good-faith research into any of its digital systems and assets, including the company website, the website infrastructure thatAWS, and any other institution repository host.
• Some of the vulnerabilities that are out of scope include physical security for the institution and any feature related to social engineering.
• For the vulnerability in third-party systems, libraries, and codes, the company will guide the researchers to report them to appropriateparties. This can be through either the use of third parties such as the CERT/CC.  Reporting third party to our institution, we may alsoreport the issue through the institution’s supply chain, but not to third parties.

This is since this can help improve responsiveness by the supplier of the product or the software.

• In addition to reporting the violations directly to the organization, other potentialvulnerabilities associated with any software or a product listed with any organization that is not associated without a firm should be reported to the software or product directly.
• Our organization currently does not pay bounties or maintain a “hall of fame” for vulnerabilityreports.
• It should be noted that our organization supports securityresearchers that only act in good faith.
• The company believes that well-intentionedsecurityresearch helps in improving patient safety and the overall effectiveness of the hospital.
• Our company does not intend to take any legal action against any researcher who appears to be acting in good faith.
• The company considers theresearchconducted under this policy to be either authorized or exempt. Authorized means it is in the view of amicable anti-hacking and anti-circumvention laws in lace. On the other hand, it is exempt from conflicting restrictions in documenting the governingof our score digital assets as indicated in the scope.
• Everyparty is expected to comply with the applicable laws. If any third party takes action against a researcher and finds that the research was conducted in compliance with our policy,our company will ensure to provide this policy. For the avoidance of doubt, our company will nevertheless not be liable for any liability or costs associated with the legal action by any third party.
• At any given point, if a researcher has a concern or is uncertain onwhether the security research is in line with our policy, there will be a need for him/her to submit a report through our official channels before getting any further with the research.

What is expected of the researcher

It is expectedthat the securityresearchers are encouraged to undertake vulnerabilityresearch. However to be able to differentiatebetween  legitimate research and malicious activity , there is  a need for theresearchers to :

1. Follow all the rules and policies in place and any other agreements that have been set forth by our company. This is to ensure that he is conversant with what is expected of him , a factor that will raise the likelihood of his/her submission on vulnerability accepted.
2. That they comply with all and any applicable laws (local, state, and international)

• Report any potentialvulnerability discovered.

1. Protect the confidentiality and details of any vulnerabilities
2. If a vulnerability has providedunintendedaccess to data, then the researcherwill need to:

• Ensure that they limit the data amount access to a minimum to demonstrate a proof of concept effectively.
• Stop testing and immediately make a submission of a report  in the event they encounter any user data in the course of testing. The user data may include ProtectedHealthy Information and Personal Identifiable Information, among others.

 

1. At all times, use official channels in discussingthevulnerabilitywith the company

• Preform testing only on in score digital assets
• Always respect theassets and activities that are out of scope

1. Always limit the interactions when testing accounts, they own
2. Always ensure that they use accounts when they havethe explicitpermission of the account holder
3. Notify our company when you have the plans of making apublic disclosure whichwill include the methods and timing.

• Not at any given point should they engage in extortion
• Protect the confidentiality and details of any vulnerabilities. There are many ways that can be used to ensure that there is confidentiality of First is to ensure that one limits the disclosure of those who need to know . There will also be need for sue of appropriate  contractual protections such as non-disclosure agreements as a way of preventing any leakages.  There will also be  the need to establish suitable  security measures  such as setting firewalls, encryptions and anti- hackers to protect the information from leaking to the public. A researcher will need to ensure that all these measures together with implementing appropriate procedures are in place as a way of avoiding leaking the vulnerabilities to unintended parties.

 

What you can expect from our company

Once your work in accordance with our policyandthe rules and regulations, this is what you can expect from our company:

1. A response to any submissions made within ten days
2. Maintenance ofa productive dialog
3. Working withyou tohelp you understand and validate any report you make
4. Ensure that any validated vulnerabilities areaddressedpromptly
5. Constantlyupdate on progress and notifyeven the company believes that it has discussed efficiently any underlying issue

Reporting a vulnerability can be done by sending a message through our email addresses or using our website. When reporting, a researcher is asked not to abuse the reportedvulnerability (Pupillo, 2018). This can be inform of downloadingmore than necessarydata to demonstratevulnerability, deleting any part of the system or data. Reporters are also asked to exercisecaution and ensure to restrain from accessing any personal data. They need to ensure that they do not intentionally engage in any forms of attacksagainstthe third parties, deny service tasks, or in any way causing a nuisance to the other users.

How to submit the vulnerability report?

There is a need to submit a high-qualityreport to get feedback from our organization team.  Some specific issues and elements must be a part of the report to ensure that theydemonstrate the quality of the vulnerability.  Any reports that are of low quality will be closed and not attended to.  This is the recommended format thatwill be accepted once submitted through our email or website:

1. Theaffected target, feature, and/or the URL
2. A comprehensive description of what the problem entails

• The impact of the issueon the company, the users, or any other party

1. The specific steps to reproduce
2. A proof of concept
3. Fill in whether the knowledge of the issue is currently public or no one knows about it

Eligibility and Disclosure

To submitvulnerability to be eligible, a researcher will need to agree on the vulnerabilitydisclosurepolicy. He/she must confirm that he/she is the first person to responsibilityconfirms an unknown issue. Once the report is sent to our organization, then the legitimatereportswill be reviewed and evaluated by our company’s technical and security, who will then determine whether the report is eligible or not(Tucker, 2018).The disclosure may take lace either privately or publicly . For the private disclosure , the vulnerability will be reported discreetly to the firm . The firm may choose to publish the details or not , but will be at its discretion(Kranenbarg, Holt, & van der Ham, 2018). Details of the private disclosure may never be made public at any given point. On the other hand, for the full  disclosure  , all details of the vulnerability may be made public as soon as they are identified.  For the full disclosure, the full details are made public to everyone including potential attackers , where in this case the patch is often available.

Privacy Policy, Restrictions, and Taxes

Our organization ensures to maintain both a privacy and transparency report. As mentioned in the company’s privacy and securitypolicy, our institution’s websites and services are not to be used by anyone who is below the age of 18.  This is due to the Children’s privacy protection Act, which does not permit the company to accept any submissions made by children(Tucker, 2018). Therefore,reports which are below 18 are not eligible to receive any award after making a vulnerability report.  However, the company may findanother way of recognizing such an effort.

The vulnerabilityreport program is not open to people in the countriesthatare sanctioned by the US. The decision for the company to pay the rewards to persons who have eligible reports is at the company’sdiscretion.  To get a bonus one, must ensure that he/she abides by the lawwithout failure.  He/she is supposed to be responsible for any tax implications or any additionalrestrictionswhichsolelydepend on the countries and local laws.  The company holds the rightto cancel the program at any time it wishes. Our organization’s employees and family members are not supposed to undertake any vulnerabilityreporting and are not eligible for any rewards.

The researcherswill need to ensure that they consistently conduct their activitieswith our policy and consider authorized conduct. Failure to do so could lead to the initiation of legal action against them. However, if a third party initiates the legal action, yet the researcher was doing it in line with the policy, we will ensure to undertake steps that make it known that his/her activities were conducted in compliance with our policy. Researchers who report for vulnerabilitiesonce paid by the company will be responsible for paying any taxes associated with the reward.  The organization has theright to modify the terms of the program or even terminate the program at any time it wishes.  Any of the changes to the program will not be made retroactively.  The people prohibited by the law to make such reports are ineligible for rewards or even reporting vulnerabilities.

Submission preferences and prioritizations

Vulnerability reports will be beneficial to the institution only if they:

i.                    Are strictly fact-based andensure that they are concise

ii.                   Include ow the researcher found the vulnerability, its impact, and most suitable remedial suggestions

iii.                 Have a proof of concept code that helps diagnose the root causes as fast as possible. This may include cramp dumps and automated tools, which are essential. They also need to be accompanied by acode or be clearly defined with states that focus on reproducibility, making them very valuable to the organization.

iv.                For videos are acceptable but have to be supported by proof of concept and reproducibility steps. The organization dramatically discourages any form of video that does not have any supporting materials.

v.                  Submissions need to be done in English. However, no submissions at any given point will go unattended, even in another language.

            As much as it encourages good faith reports, our organization seeks to categorically state that it has control over the other third parties. However, in suitable times, the organization will involve third parties in issues regardingvulnerabilities and reports as responsibly as possible.

Policy attributes

The vulnerability  policy has several policy attributes, which make it be in line with  the company culture and vision:  They include

1. Promise

The policydemonstrates a clear and reasonable faith commitment to the clients and other key stakeholders, which the vulnerabilities of securities may potentially impact. This is since all the aspects of the CVD are in line with the vision and missionstatement of the organization, where the primarycommitment is to the security, customers, and other key stakeholders(Kranenbarg, Holt, & van der Ham, 2018). The CVD ensures statements on why the policy was created and what it is expected to accomplish.

2.      Scope

 The scope is well laid out and ensures that it indicates thetheme of products and services which are vulnerable. It also depictswhat the companywillneedresearchers to continually report on vulnerabilities to help maintain the security of the company systems both what is in the scopeand what is not are well laid out.

3.      “Safe Harbor”

The CVD policy of the company assures all the reporters that as long as they have good faith, they will not be unduly penalized. The reporters are assured that no legal action will be undertaken from the policy statementif they abide by the set rules and regulations and are in good faith.  The policy clarifies that any individual willing to participate in vulnerabilityresearchif they mean well for the company issafe and may even get a reward if theirreport is eligible.

4.      Process

Another attribute of the policy is the explanationof the entire process of reporting a vulnerability.  It states the steps to undertake for the researchers to submit their reports and ensure that they are eligible. If any reporter reads the processes in the policies, he/ she willquickly understand how to easily approach the company and submit his /her vulnerability report.  It is essential to note thatfinders of the vulnerability are unpaid but may be awarded if they explain various vulnerabilityreports and help the company with important information.  This means that they need to follow the procedures to ensure that they have structured data andfollow the guidelines and policies.

5.      Preferences

 This is the final attribute of the policy, where it examineswhether the;policy is clear on issues such as submission and initialresponse. Alltheseissues are addressed in the policy, where issues such as change of the processes, days of submissions, and replies by the organization team are included.

 

 

A  CVD Procedure based on the policies

Content

After highlighting the policies, there is now a need to understand the procedures that the researchers andreporters will need to report the vulnerability reports to our company. The proceduresentail the scope, the time limits, the ways of maintaining contact, and filing re[orts to the organization.

Scope

• It should be noted that the CVD processes are in place to the reporting of any likely threats or system hitches or likely hitches that can affect the systems of our organization
• The reason for reporting is to helpsafeguard the privacy and security of the users of the system and ensure that the organization is saved from incurring losses resulting from the hitch or attack.
• Reporting the vulnerabilities does not necessarilymean that the company willpay the researchersince it has to align with the set policies.
• Researchers need to ensure that they are;eligiblebefore making a report.
• Following the correct procedures willensurethatthe researchers get it right in reporting. Our organization’s technical and security team will take their reports as a serious issue and a matter of urgency.
• Once they clarify the research, the reporter will likely be accorded an award thatmay include a monetary token of appreciation.

Procedures

The goal of the CVD program will be to ensure that vulnerability reporters have a straightforward process of sharing crucial information regarding a threat or any issues related to the company system.

Contact information and CVD submission process

The firstsubmissions process will include presenting the vulnerability report or any company email provisions or submitting the website. The researcherwill be required to refrain from having sensitive information such as PHI, PII as part of thesubmissionto ensure the security or privacy of the user isprotected. In the course of the proposal, the following will need to be provided:Contact information which includes name, email address, phone number, homeaddress, and a contact person. This is to be followed by the date and method of discovering the vulnerability, which will help analyze the legibility of the report.  There will then be a need to describe the potential vulnerability, including the product name, version number, and configuration details.  The reporter will then need to submit the steps of reproducing the vulnerability, including tools and methods m, exploitation code, and privileges required.  Finally, there will be the need to provide the results and the likely impacts of the vulnerability.

What happens next

Upon receiving the vulnerability report, the organization’ssecurity and technical team will acknowledge the receipt within ten business days through an email or a phone call.  They will then work together through a well laid system toevaluate and validate the research findings. Thefirst process will be to collectthevulnerability report, which will be done in three ways. First, there will be theevaluation of the vulnerability information to establish that itiseligible for the following process. This will be followed by monitoring of public sources with the aim of understanding whether there is other vulnerabilityinformation related to this is public. The third way will be to assess whether there are direct reports of a similar vulnerability with the security system.  After receiving the information, the securitydepartments willperform an initial analysis of accessing the vulnerability and comparing with other existing reports to identify any likely duplicates. This will then be followed by cataloging the vulnerability reports, including all known information regarding the vulnerability.

The second process will entail an in-depth analysis of the vulnerability. After cataloging the information, there will be a need for a team to work and understand the vulnerabilities by examining the technical issues andassessing the potential risks the vulnerability represents.  The third step will involve mitigation coordination. This will entail working together with technical and security teams to establish the best mitigation techniques for dealing with the vulnerabilities(Tyzenhaus, 2018).  The processwill entail developing programs and software that can protect the system against any threats presented by the vulnerabilities identified.

Thefourth stage will include the application of the mitigation. The teams will ensure that they facilitate time for the faced end users to obtain, test, and apply mitigation strategies before having apublic disclosure of the new measures undertaken. Finally, there will be the disclosure stage. This willcoordinate with the affectedstakeholders and the teams to notify users about the vulnerability while using multiplechannels.  The organizationwill strive todisclose accurate, neutral, and objective information focused on technical remediation and mitigation.

After analyzing the report, the company will  contact the reported to either request additional information needed or to advise on the right next course of action. This may include rewardinghim/her for helping the company in protecting its systems and its users. However, in some events, a reporter who may have done an illegal act or failed to adhere to the policies may be summoned for a lawsuit for action since this would comprise the system’s security and users.

Disclaimer

All the vulnerability reporters mustbe aware that our institution greatly protects our customers’ health, well-being, and safety, andpersonal information.  Wen conducting the security research, they will need to consider the consumer, the end-user, a top priority and ensure that allhis/herdata is safeguarded, failure to which it might expose him/her.  The researcher is expected to avoid any actions that would cause harm to the patient or the institution’s products (Householder, Wassermann, & Manion, 2017).  It is also essential to note thatvulnerability testing could alsonegatively impact a product. It is, therefore,crucial to avoid testing on active products in aclinical setting. Likewise, it is not advisable to use products subjected to security testing and not be used in a clinical setting.

In case of any doubt, the researchershould alwayscommunicate with ourorganization to ensure that nothing goes wrong in his vulnerabilitytesting process.  It is also to be noted that our organizationreserves the right to modify its coordinated vulnerability disclosure process at any given time. The firm does not need to notice its modification and can make exemptions on a case-by-case basis.  The firm also does not guarantee any particular levels of responseon the issue.  However, in the event of avulnerability, the firm promises to acknowledge and attribute recognition to the researcher who has reported the vulnerability. There is always the need to ensure that when researching a vulnerability, ensure that all the guidelines and policies are fowled to the latter to avoid any future conflicts and disagreementswith the organization, leading to multiple lawsuits.

Disclosure Timeline

The time frames for mitigation development and schedule disclosure could be affected by multiplefactors.  Some of the factors likely to affect the time; line include threats of a severe nature, active exploitation, and or situationsthat would require changes to the establishedstandards(Kranenbarg, Holt, & van der Ham, 2018). Otherfactors may consist of ifthe vulnerability has already been publicly disclosed,e.g., published by a researcher. Another reason may be the potential impact of acritical infrastructure that may be interfered with thesystem. The issue of national security in the system may alsosignificantly affect the time frame for mitigationssince the organization has to abide by the laws.  Other factors may include publichealth or safety, which has to be protected at all costs. When there is an availability of effective mitigations, the team’s responsibility fordeveloping either an update or a patchcouldalso derail the disclosuretimeline.  Finally, an estimation of time by the researcher on obtaininga test and applying a patch could be wrong, leading to more derailment of the timeline.

After the disclosure takes place, the organizationhas the mandate to recognize the researcher and publish his/her name in the publicationsor media to acknowledge his/herefforts. He/she may also beconstantly getupdated on the progress of the mitigation efforts and may be called to help the organization in case his/herexpertiseis needed.

 

 

References

Householder, A. D., Wassermann, G., & Manion, A. &. (2017). The cert guide to coordinated vulnerability disclosure. Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States.

Kranenbarg, M. W., Holt, T. J., & van der Ham, J. (2018). Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure. Crime Science, 7(1), 1-9.

Pupillo, L. (2018). EU Cybersecurity and the Paradox of Progress. CEPS Policy Insights No 2018/06, February 2018.

Pupillo, L., Ferreira, A., & Varisco, G. (2018). Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018.

Tucker, L. (2018). VULNERABILITY DISCLOSURE POLICY BASICS: 5 CRITICAL COMPONENTS. Retrieved from https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components

Tyzenhaus, L. (2018). Coordinated Vulnerability Disclosure. Carnegie Mellon University Software Engineering Institute Pittsburgh United States.

Woszczynski, A., Green, A., Dodson, K., & Easton, P. (2020). Zombies, Sirens, and Lady Gaga–Oh My! Developing a framework for coordinated vulnerability disclosure for US emergency alert systems. Government Information Quarterly, 37(1), 101418.

 

 

 

 

 

 

.