Asked by Belgian colleagues to explain our Coordinated Vulnerability Disclosure manifesto, Ronald used the opportunity to also highlight other initiatives. He visualised this in a circle with three rings.

For security in the inner ring, one's own organisation, a lot of information is shared within the CIO Platform Netherlands. This happens mainly in closed working groups. Very visible, and also available to non-members, is the jointly developed Elevator Game. This aims to increase staff alertness and make discussing security issues in the organisation more accessible.

To increase security in the second ring, that of partners, suppliers and customers of the organisation, several publications have been delivered. These relate to, for instance, gaining insight into the security situation at suppliers, or specific points of attention when choosing Cloud solutions. In addition, and very important, is the Code of Conduct published earlier this year. That deals with a more balanced relationship between supplier and customer, which also includes security and liability for proper functioning of software, for example. These publications can be downloaded here.

Finally, the Coordinated Vulnerability Disclosure manifesto. This is a measure in the outer ring. The parties in this ring are unknown. They may be companies or other organisations, or individuals. They may mean harm, or want to help. Inspired by the Responsible Disclosure policy launched by the Minister of Security and Justice in 2012, CIO Platform Netherlands published a policy and process document and an implementation manual in early 2016. This used documents that SURFnet had produced for its members.

The idea of this policy is that ground rules are published by organisations on how it wants to interact with reporters of vulnerabilities. These include not publishing the vulnerability and not manipulating data. The organisation says it will investigate reports seriously and keep in touch with the reporter about solutions. It is also important to note that intrusions into computer systems are not reported if the reporter complies with the rules of the game.

Together with Rabobank and the Dutch government, this policy, under the name Coordinated Vulnerability Disclosure Manifesto, was given a wider stage at the European High Level meeting as part of the European presidency. Some 30 organisations signed the manifesto, thus endorsing the ambition to implement such policies and encourage others to do so. Hence also this visit to Belgian colleagues.

Jethro Cornelissen of Rabobank explained how Responsible Disclosure works out in practice in his part of the presentation. The common denominator was that Responsible Disclosure/Coordinated Vulnerability Disclosure can sometimes lead to special contacts with reporting entities, that there is sometimes a lot of chaff among the wheat, but certainly also provides useful tips to prevent harmful incidents and bad press.

If you are interested and do not yet apply a Responsible Disclosure policy, please check our publications and search for ‘Coordinated Vulnerability Disclosure’ for more information (including the manifesto itself, but also an implementation guide and model policy).