The Vulnerability Disclosure Toolkit from the NCSC can help charities keep their staff, service users, and supporters safe online
Experts from the National Cyber Security Centre provide guidance for charities looking to secure their vulnerabilities and protect themselves from cyber crime.
The digitisation of charity work has been the hot topic of sector discussion for some time now. The COVID-19 pandemic has accelerated existing trends of digital transformation, as charities have moved fundraising, service delivery, and outreach work into the digital world.
But this move to digital comes with its own risks as well as its own rewards. Cyber criminals are aware of the increase in the charity sector’s digital operations. They are also aware that many charities adopted their new digital processes on an ad hoc basis in March 2020 as a response to the COVID-19 pandemic.
As such, charity leaders and cyber security experts will not have had time to subject these processes to the levels of scrutiny that any new addition would go through under normal circumstances.
Any online services that do not have cyber security built into the design are vulnerable to attack.
Security vulnerabilities are discovered within online services all the time. A growing number of people are reporting them directly to the organisation responsible before a cyber criminal can take advantage.
According to a report by HackerOne, there has been a 63% increase in the number of vulnerabilities being reported to organisations over the past year.
The report goes on to highlight the importance of a good vulnerability disclosure process. It also covers how such a process can help demonstrate an organisation’s commitment to resolving cyber security issues and prioritising supporter safety.
The NCSC has produced a free Vulnerability Disclosure Toolkit to help organisations of all sizes learn more about implementing a vulnerability disclosure process. The toolkit contains three components to help improve the disclosure process: Good Communication, Clear Policy, and Ease of Use.
Setting up a dedicated email address (such as firstname.lastname@example.org) or contact web form ensures that the vulnerability information gets to the person who can fix the issue.
The NCSC recommend vulnerability information is protected. One of the easiest ways to achieve this is to use a secure web form. You should make sure this contact route is easy to find. You can add it to your ‘Contact Us’ web page (or privacy or security pages) and publish a security.txt.
If you don’t want to highlight it on a web page, then you should publish the contact route in a security.txt.
By providing a clear policy, you define what to expect from someone reporting a vulnerability (as well as what you will do in response). This means you can work with them in an agreed framework.
The ISO standard defines the minimum requirements for a vulnerability disclosure policy.
In its basic form, a vulnerability disclosure policy should contain the following information:
There is no point to a vulnerability disclosure process if no one knows it exists, or it is difficult to use.
So, the process should be easy for the organisation to set up, and easy for individuals to report vulnerabilities.
The proposed IETF standard Security.txt is a great way for an individual to easily find all the information required.
It describes a text file that webmasters can host in the “/.well-known” directory of the domain root. It advertises the organisation’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability.
The file contains two key fields:
Whilst is not intended to be a comprehensive guide to creating and implementing a vulnerability disclosure process, the toolkit will help you focus on the essential components needed to make a start.
Even if your organisation already has a process in place, please download the toolkit as it may help you to develop what you already have in place.
Download the Toolkit to learn more