In continuation of the earlier posts, following are the obligations that the Dutch National Cyber Security Council has imposed on the owners of systems.
According to the guidelines it is necessary for the organization to have a policy on” Responsible disclosure” and publish policies for Responsible disclosure publicly known.
It will also be necessary for the organization to make it accessible for a detector to make a notification. This can be done by a standardized manner, for example, an on-line form, to be used for making of reports. Here, the organization can weigh up to anonymous messages to receive.
The organization reserve capacity to adequately notifications can react.
The organization takes the report of a vulnerability in receipt and ensures that as soon as possible reaches the department that the message can best assess and may examine.
The organization will send an acknowledgment of receipt of the notification, preferably digitally signed to the priority to emphasize the detector. After join the organization and the detector in contact about the further process.
The organization shall determine, in consultation with the reporter the deadline by which any publication will take place. A reasonable standard term that can be used for software vulnerabilities is 60 days. The fix vulnerabilities in hardware is difficult to achieve, this may be a reasonable standard period of 6 months may be used.
In consultation may be desirable to extend this deadline or shorten if much or little systems rely on the system on which the vulnerability is reported.
If a vulnerability is not or difficult to solve, or if there are high costs are involved, may agree to the detector and organizational vulnerability undisclosed.
The organization keeps the detector and other stakeholders informed the progress of the process.
The organization can convey that the organization detector credits will give, as the reporter wishes, for doing the reporting.
The organization may choose to have a detector a reward / appreciation to give for reporting vulnerabilities in ICT products or services, if the detector is on the rules contained in the policy account. The height of the pay may be dependent on the quality of the message.
The organization may, in consultation with the notifier agree to the broader IT community about the vulnerability when it is probable that the vulnerability also exists in other places.
The organization shall act in the adopted policy about not taking legal action if continued with the policy is adhered.
These guidelines may now be construed as a “Best Practice” for organizations for whom this will be applicable and Information Assurance Auditors/consultants may take note of them for implementation of Information Security in an organization.
More details are available in this translated copy of the brochure:
[P.S: Kindly excuse some spelling errors on account of unedited translation of the original Dutch document]