There is a need to develop vulnerability disclosure policies, which will address how a health care organization can respond to aresearchers report that aproduct contains a vulnerability. The assurance of the researchers is that they will not be prioritized unfairly for reporting the vulnerability. The health care organization n prioritizes the quality of the systemand ensures to have the best policies in the development lifecycle, where it willaddressvulnerabilities(Householder, Wassermann, & Manion, 2017). There may be challenges to develop a CVD programdesigning repeatable procedures, and scoring the program to meet the organization’s technical capacity. In the wake of increasingcases of vulnerability such as Heartbleed, a significanttechnologythreat, there is a need for any firm, more soa health care organization, to have a CVD program(Woszczynski, Green, Dodson, & Easton, 2020). This will help in ensuring that it gives submittingpotentially unknown and harmful securityvulnerabilities to an organization.
The CVD will allow a precisecommunication mechanism for people to reportvulnerabilities in the firm’sproducts and services. The CVD will not need to belong, but rather be none that contains the elements of promise. Scope, safe harbor, process, and preferences(Pupillo, Ferreira, & Varisco, 2018). This particular CVD will ensurepromises and demonstrateclear and reasonable faith commitment to customers and other key stakeholderswhosesecurity vulnerabilities may impact. For scope, the CVDwill indicate the property and products and the vulnerability types covered, for the process will entail the description of process finders on how to report vulnerabilities. For Safe harbor, theCVD will ensure that the reporters of good faithwill not be penalized. Finally, the CVD will endure being a living document that will set the expectations for preferences and priorities on evaluating the reports.
Our Health organization seeks to be a leader in protecting our user’s security and privacy. Henceit has designed systemswith asecurity-first framework. The organization performs modeling resilience testing to acquire solutions and maintain a secure system through its IT sector. As a result, the organization welcomes security researchers who will inform the company of any vulnerabilities that could put the firm’s safety and security at risk.
The researchers also need to notify the company of any vulnerabilitythat could compromise the integrity, confidentiality, or availability of the organization’s systems. The vulnerability disclosure policy aims to play out when the company interacts with other parties and informs of dialogue with any securityresearcher who may report any detailsof vulnerabilities(Kranenbarg, Holt, & van der Ham, 2018). The company intends to ensure that it has integrationmechanismsand well associateswithothers to protect the systems and ensure the safety and security of the users. The scope of the CVD program for the health care organizationentailsany security vulnerabilities that affect the technological sector of the organization. The following items will be within the scope for the CVD Program:
This is since this can help improve responsiveness by the supplier of the product or the software.
What is expected of the researcher
It is expectedthat the securityresearchers are encouraged to undertake vulnerabilityresearch. However to be able to differentiatebetween legitimate research and malicious activity , there is a need for theresearchers to :
What you can expect from our company
Once your work in accordance with our policyandthe rules and regulations, this is what you can expect from our company:
Reporting a vulnerability can be done by sending a message through our email addresses or using our website. When reporting, a researcher is asked not to abuse the reportedvulnerability (Pupillo, 2018). This can be inform of downloadingmore than necessarydata to demonstratevulnerability, deleting any part of the system or data. Reporters are also asked to exercisecaution and ensure to restrain from accessing any personal data. They need to ensure that they do not intentionally engage in any forms of attacksagainstthe third parties, deny service tasks, or in any way causing a nuisance to the other users.
How to submit the vulnerability report?
There is a need to submit a high-qualityreport to get feedback from our organization team. Some specific issues and elements must be a part of the report to ensure that theydemonstrate the quality of the vulnerability. Any reports that are of low quality will be closed and not attended to. This is the recommended format thatwill be accepted once submitted through our email or website:
Eligibility and Disclosure
To submitvulnerability to be eligible, a researcher will need to agree on the vulnerabilitydisclosurepolicy. He/she must confirm that he/she is the first person to responsibilityconfirms an unknown issue. Once the report is sent to our organization, then the legitimatereportswill be reviewed and evaluated by our company’s technical and security, who will then determine whether the report is eligible or not(Tucker, 2018).The disclosure may take lace either privately or publicly . For the private disclosure , the vulnerability will be reported discreetly to the firm . The firm may choose to publish the details or not , but will be at its discretion(Kranenbarg, Holt, & van der Ham, 2018). Details of the private disclosure may never be made public at any given point. On the other hand, for the full disclosure , all details of the vulnerability may be made public as soon as they are identified. For the full disclosure, the full details are made public to everyone including potential attackers , where in this case the patch is often available.
Our organization ensures to maintain both a privacy and transparency report. As mentioned in the company’s privacy and securitypolicy, our institution’s websites and services are not to be used by anyone who is below the age of 18. This is due to the Children’s privacy protection Act, which does not permit the company to accept any submissions made by children(Tucker, 2018). Therefore,reports which are below 18 are not eligible to receive any award after making a vulnerability report. However, the company may findanother way of recognizing such an effort.
The vulnerabilityreport program is not open to people in the countriesthatare sanctioned by the US. The decision for the company to pay the rewards to persons who have eligible reports is at the company’sdiscretion. To get a bonus one, must ensure that he/she abides by the lawwithout failure. He/she is supposed to be responsible for any tax implications or any additionalrestrictionswhichsolelydepend on the countries and local laws. The company holds the rightto cancel the program at any time it wishes. Our organization’s employees and family members are not supposed to undertake any vulnerabilityreporting and are not eligible for any rewards.
The researcherswill need to ensure that they consistently conduct their activitieswith our policy and consider authorized conduct. Failure to do so could lead to the initiation of legal action against them. However, if a third party initiates the legal action, yet the researcher was doing it in line with the policy, we will ensure to undertake steps that make it known that his/her activities were conducted in compliance with our policy. Researchers who report for vulnerabilitiesonce paid by the company will be responsible for paying any taxes associated with the reward. The organization has theright to modify the terms of the program or even terminate the program at any time it wishes. Any of the changes to the program will not be made retroactively. The people prohibited by the law to make such reports are ineligible for rewards or even reporting vulnerabilities.
The vulnerability policy has several policy attributes, which make it be in line with the company culture and vision: They include
The policydemonstrates a clear and reasonable faith commitment to the clients and other key stakeholders, which the vulnerabilities of securities may potentially impact. This is since all the aspects of the CVD are in line with the vision and missionstatement of the organization, where the primarycommitment is to the security, customers, and other key stakeholders(Kranenbarg, Holt, & van der Ham, 2018). The CVD ensures statements on why the policy was created and what it is expected to accomplish.
A CVD Procedure based on the policies
After highlighting the policies, there is now a need to understand the procedures that the researchers andreporters will need to report the vulnerability reports to our company. The proceduresentail the scope, the time limits, the ways of maintaining contact, and filing re[orts to the organization.
The goal of the CVD program will be to ensure that vulnerability reporters have a straightforward process of sharing crucial information regarding a threat or any issues related to the company system.
The firstsubmissions process will include presenting the vulnerability report or any company email provisions or submitting the website. The researcherwill be required to refrain from having sensitive information such as PHI, PII as part of thesubmissionto ensure the security or privacy of the user isprotected. In the course of the proposal, the following will need to be provided:Contact information which includes name, email address, phone number, homeaddress, and a contact person. This is to be followed by the date and method of discovering the vulnerability, which will help analyze the legibility of the report. There will then be a need to describe the potential vulnerability, including the product name, version number, and configuration details. The reporter will then need to submit the steps of reproducing the vulnerability, including tools and methods m, exploitation code, and privileges required. Finally, there will be the need to provide the results and the likely impacts of the vulnerability.
Upon receiving the vulnerability report, the organization’ssecurity and technical team will acknowledge the receipt within ten business days through an email or a phone call. They will then work together through a well laid system toevaluate and validate the research findings. Thefirst process will be to collectthevulnerability report, which will be done in three ways. First, there will be theevaluation of the vulnerability information to establish that itiseligible for the following process. This will be followed by monitoring of public sources with the aim of understanding whether there is other vulnerabilityinformation related to this is public. The third way will be to assess whether there are direct reports of a similar vulnerability with the security system. After receiving the information, the securitydepartments willperform an initial analysis of accessing the vulnerability and comparing with other existing reports to identify any likely duplicates. This will then be followed by cataloging the vulnerability reports, including all known information regarding the vulnerability.
The second process will entail an in-depth analysis of the vulnerability. After cataloging the information, there will be a need for a team to work and understand the vulnerabilities by examining the technical issues andassessing the potential risks the vulnerability represents. The third step will involve mitigation coordination. This will entail working together with technical and security teams to establish the best mitigation techniques for dealing with the vulnerabilities(Tyzenhaus, 2018). The processwill entail developing programs and software that can protect the system against any threats presented by the vulnerabilities identified.
Thefourth stage will include the application of the mitigation. The teams will ensure that they facilitate time for the faced end users to obtain, test, and apply mitigation strategies before having apublic disclosure of the new measures undertaken. Finally, there will be the disclosure stage. This willcoordinate with the affectedstakeholders and the teams to notify users about the vulnerability while using multiplechannels. The organizationwill strive todisclose accurate, neutral, and objective information focused on technical remediation and mitigation.
After analyzing the report, the company will contact the reported to either request additional information needed or to advise on the right next course of action. This may include rewardinghim/her for helping the company in protecting its systems and its users. However, in some events, a reporter who may have done an illegal act or failed to adhere to the policies may be summoned for a lawsuit for action since this would comprise the system’s security and users.
All the vulnerability reporters mustbe aware that our institution greatly protects our customers’ health, well-being, and safety, andpersonal information. Wen conducting the security research, they will need to consider the consumer, the end-user, a top priority and ensure that allhis/herdata is safeguarded, failure to which it might expose him/her. The researcher is expected to avoid any actions that would cause harm to the patient or the institution’s products (Householder, Wassermann, & Manion, 2017). It is also essential to note thatvulnerability testing could alsonegatively impact a product. It is, therefore,crucial to avoid testing on active products in aclinical setting. Likewise, it is not advisable to use products subjected to security testing and not be used in a clinical setting.
In case of any doubt, the researchershould alwayscommunicate with ourorganization to ensure that nothing goes wrong in his vulnerabilitytesting process. It is also to be noted that our organizationreserves the right to modify its coordinated vulnerability disclosure process at any given time. The firm does not need to notice its modification and can make exemptions on a case-by-case basis. The firm also does not guarantee any particular levels of responseon the issue. However, in the event of avulnerability, the firm promises to acknowledge and attribute recognition to the researcher who has reported the vulnerability. There is always the need to ensure that when researching a vulnerability, ensure that all the guidelines and policies are fowled to the latter to avoid any future conflicts and disagreementswith the organization, leading to multiple lawsuits.
The time frames for mitigation development and schedule disclosure could be affected by multiplefactors. Some of the factors likely to affect the time; line include threats of a severe nature, active exploitation, and or situationsthat would require changes to the establishedstandards(Kranenbarg, Holt, & van der Ham, 2018). Otherfactors may consist of ifthe vulnerability has already been publicly disclosed,e.g., published by a researcher. Another reason may be the potential impact of acritical infrastructure that may be interfered with thesystem. The issue of national security in the system may alsosignificantly affect the time frame for mitigationssince the organization has to abide by the laws. Other factors may include publichealth or safety, which has to be protected at all costs. When there is an availability of effective mitigations, the team’s responsibility fordeveloping either an update or a patchcouldalso derail the disclosuretimeline. Finally, an estimation of time by the researcher on obtaininga test and applying a patch could be wrong, leading to more derailment of the timeline.
After the disclosure takes place, the organizationhas the mandate to recognize the researcher and publish his/her name in the publicationsor media to acknowledge his/herefforts. He/she may also beconstantly getupdated on the progress of the mitigation efforts and may be called to help the organization in case his/herexpertiseis needed.
Householder, A. D., Wassermann, G., & Manion, A. &. (2017). The cert guide to coordinated vulnerability disclosure. Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States.
Kranenbarg, M. W., Holt, T. J., & van der Ham, J. (2018). Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure. Crime Science, 7(1), 1-9.
Pupillo, L. (2018). EU Cybersecurity and the Paradox of Progress. CEPS Policy Insights No 2018/06, February 2018.
Pupillo, L., Ferreira, A., & Varisco, G. (2018). Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018.
Tucker, L. (2018). VULNERABILITY DISCLOSURE POLICY BASICS: 5 CRITICAL COMPONENTS. Retrieved from https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components
Tyzenhaus, L. (2018). Coordinated Vulnerability Disclosure. Carnegie Mellon University Software Engineering Institute Pittsburgh United States.
Woszczynski, A., Green, A., Dodson, K., & Easton, P. (2020). Zombies, Sirens, and Lady Gaga–Oh My! Developing a framework for coordinated vulnerability disclosure for US emergency alert systems. Government Information Quarterly, 37(1), 101418.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.