Coordinated Vulnerability Disclosure Manifesto signed
Approximately 30 organisations have signed the Coordinated Vulnerability Disclosure Manifesto today, in which they declare to support the principle of having a point of contact to report IT vulnerabilities to and already have this set up in their own organisations, or will do soon. With signing the manifesto, the participating organisations acknowledge the importance of efforts from researchers and the hacker community to make the internet and our society more safe. The manifesto is an initiative of Rabobank and CIO Platform Nederland. The signing took place during the High Level Meeting Cyber Security in Amsterdam, organised by the Ministry of Security and Justice in the context of the Dutch chairmanship of the EU.
Wim Hafkamp, Chief Information Security Officer at Rabobank: ‘Customers want to take care of their banking in a save, quick and easy way. Reliability and security of our systems are of fundamental importance to keep the trust of our customers. Via this manifesto we give security researchers and ethical hackers the opportunity to report possible weaknesses to us. Reporters do not have to worry about legal action from our part. On the contrary, reported vulnerabilities will always be taken seriously. We do have some ground rules for this process, as well for the reporter, as for the receiving party. In this way organisations are in permanent dialog with known and unknown cyber security researchers. We are very pleased to make this step today, with approximately 30 organisations. Cooperation and learning from each other is so important in this work of field.’
Ronald Verbeek, Director CIO Platform Nederland: ‘With this manifesto we want to acknowledge the efforts of researchers and the hacker community, as well as emphasize the importance of balance between transparency and time-to-react. On the one hand the public must be informed about newly discovered security leaks. On the other hand the organizations must been given the time to investigate and resolve the weaknesses. Vulnerable parts in systems can cause a lot of damage if they are not dealt with in time; we prefer that these vulnerabilities are reported by well-meaning hackers instead of abused by malevolent criminals. ‘
Amongst the organisations who have signed are large players in the field of transport, healthcare, energy, telecom and banking. Newly interested organisations can still sign the manifesto after today. This initiative will be accommodated by the Global Forum on Cyber Expertise (GFCE). Best Practice documents for implementation are made available by CIO Platform Nederland, based on documents from Coöperatie SURF U.A. More information about this initiative, the manifesto itself and the signatories are on the website of the GFCE: http://www.thegfce.com/initiatives/responsible-disclosure-initiative-ethical-hacking/documents.
Participating organisations so far:
ABN AMRO, CIOforum Belgian Business, CIO Platform Nederland, Corbion Group Netherlands, Eneco, European Network for Cyber Security, Honeywell, IHC Merwede, ING, KPN, LUMC, NS, NUON, NXP, Palo Alto Networks, Phillips, PostNL, Rabobank, SAAB, Schuberg Phillis, SNS Bank, Stedin, Surfnet, Tennet, TNO, Vodafone and VOICE.