Approximately 30 organisations have signed the Coordinated Vulnerability Disclosure Manifesto today, in which they declare to support the principle of having a point of contact to report IT vulnerabilities to and already have this set up in their own organisations, or will do soon. With signing the manifesto, the participating organisations acknowledge the importance of efforts from researchers and the hacker community to make the internet and our society more safe. The manifesto is an initiative of Rabobank and CIO Platform Nederland. The signing took place during the High Level Meeting Cyber Security in Amsterdam, organised by the Ministry of Security and Justice in the context of the Dutch chairmanship of the EU.
Over recent years the importance of ICT and the role it plays in our daily lives has grown exponential. With it, the dependence of internet and ICT has grown as well. The potential negative consequences of vulnerabilities in our ICT-systems are also growing. The cooperation between organisations and the cyber security community can be helpful to find and solve these vulnerabilities. The manifesto aims to make all parties more aware of the importance of the cooperation, to make the ICT landscape as save as possible for everybody. The organisations who are signing the manifesto are offering the possibility for outsiders to report the vulnerabilities they have found via a simple procedure.
Wim Hafkamp, Chief Information Security Officer at Rabobank: ‘Customers want to take care of their banking in a save, quick and easy way. Reliability and security of our systems are of fundamental importance to keep the trust of our customers. Via this manifesto we give security researchers and ethical hackers the opportunity to report possible weaknesses to us. Reporters do not have to worry about legal action from our part. On the contrary, reported vulnerabilities will always be taken seriously. We do have some ground rules for this process, as well for the reporter, as for the receiving party. In this way organisations are in permanent dialog with known and unknown cyber security researchers. We are very pleased to make this step today, with approximately 30 organisations. Cooperation and learning from each other is so important in this work of field.’
Ronald Verbeek, Director CIO Platform Nederland: ‘With this manifesto we want to acknowledge the efforts of researchers and the hacker community, as well as emphasize the importance of balance between transparency and time-to-react. On the one hand the public must be informed about newly discovered security leaks. On the other hand the organizations must been given the time to investigate and resolve the weaknesses. Vulnerable parts in systems can cause a lot of damage if they are not dealt with in time; we prefer that these vulnerabilities are reported by well-intended hackers instead of abused by malevolent criminals.‘
Amongst the organisations who have signed are large players in the field of transport, healthcare, energy and banking. Newly interested organisations can still sign the manifesto after today. This initiative will be accommodated by the Global Forum on Cyber Expertise (GFCE). Best Practice documents for implementation are made available by CIO Platform Nederland, based on documents from Coöperatie SURF U.A. More information about this initiative, the manifesto itself and the signatories are on the website of the GFCE: https://www.thegfce.com/initiatives/r/responsible-disclosure-initiative-ethical-hacking