NIST: Vulnerability Disclosure as a Requirement for Every Organization

The NIST Cybersecurity Framework is a set of policies meant to help the private sector in strengthening their cybersecurity readiness and awareness. The framework is published by the National Institute of Standards and Technology (NIST), under the US Department of Commerce.

Originally designed for critical infrastructure IT, it has since been adopted by private sector organizations as part of their risk management and cybersecurity practices. In fact, it’s estimated that half of the organizations in the US use the framework. It has also been adopted by the information security agencies of other countries, including Italy, Israel and Japan.

Updates to the Cybersecurity Framework

Since its inception in 2014, the framework has been updated several times to keep up with evolving threats. Version 1.1 was released in 2017, which included guidance on performing self-assessments, supply chain risk management, and vulnerability disclosure.

This revision is the result of a massive industry effort. During the spring of 2017 a number of organizations, including , Duo Security , , (and yours truly, ) submitted a in response to NIST’s call for public comment on the framework.

After the updates, the draft now includes the following:

RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

This language is very close to that suggested in the letter’s primary recommendation: “Processes are established to receive, analyze, and respond to vulnerabilities disclosed to the organization from external sources.”

The revised framework also mentions researchers in its Tier 1 implementation (pg. 10). This is an exciting addition and one that paves the way for the whitehat community to partner with organizations.

What the NIST Update Mean for Vulnerability Assessment

These updates mark an incredibly important move by the NIST. The news comes on the heels of another year of escalating cyberattacks and a growing focus from the federal government on vulnerability disclosure.

In the 2020 report by RiskBased Security , it was reported that 36 billion records were exposed by data breaches in the first half of 2020 alone. Although the increased scope of cybersecurity threats is unfortunate, their sheer volume is causing policymakers to respond, and that’s a positive thing.

Adding to the positive changes, the White House recently released the Federal IT Modernization Report . This report positions vulnerability disclosure as best-practice approach to external security testing for the U.S. Government. This is another major step forward not only for the model, but most importantly, for the security of everyone in the U.S.

2020 was undoubtedly another year of escalation in size, scope, and scale of cyberattacks. It goes without saying that this past year every single American was impacted by at least one of these breaches.

Wrapping It Up

With policies and standards in place such as NIST, Data Security, and the Breach Notification Act, it’s now incumbent on organizations to ensure they are set up to receive vulnerability data from external parties. This practice is already becoming a standard for major private organizations.

On behalf of Bugcrowd, thank you to all of those who responded to the call and expressed support for this very positive change! To learn more about vulnerability testing read Bugcrowd’s Ultimate Guide to Pentesting .

Originally published at on March 8, 2021.



founder/chairman/cto @bugcrowd and co-founder of @disclose_io. troubleshooter and troublemaker. 0xEFC513EA

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

founder/chairman/cto @bugcrowd and co-founder of @disclose_io. troubleshooter and troublemaker. 0xEFC513EA