Don.D 8 Report post Posted July 17, 2018 One of our regular columnists, Adrian Sanabria of Savage Security, tackles a topic that should be familiar to all organizations of any size but, unfortunately, many don't even know where to start in "Every Business Needs a Vulnerability Disclosure Policy. Every. Single. Business." He offers examples of failures like Panera Bread and gives ways to create a Vulnerability Disclosure Policy (VDP) but more importantly a Vulnerability Handling Policy (VHP) for what to do (not if but) when issues are reported. Quote An anonymous report claims that a ton of your company’s customer data has been exposed. A sense of calm is in the air as you enact your vulnerability disclosure policy. You save the day, get a promotion and rainbows and unicorns fill the sky. Then you wake up!! You don’t have a vulnerability disclosure policy. Panic quickly washes away the sounds of harps. You’ve got to verify this incident quickly, you’ve got to handle it (mitigation and disclosure) well and you need to carefully manage the narrative in case the story goes public. This isn’t one of those ‘2 out of 3 ain’t bad’ scenarios — you need to do all three. More than anything though, this information needs to get to the right people quickly to avoid making the problem worse. Who are the right people!?!? Have you faced situations like? Does your organization have a vuln disclosure policy? Did you help then create it? Share your experiences in the Comments Section of this article on EH-Net. Don Share this post Link to post
