Bug bounty program provider HackerOne released its “Vulnerability Coordination Maturity Model” on Tuesday to help companies assess and handle vulnerabilities in their systems.
Described as a “new and practical open guide” to help organizations “measure, benchmark and improve their vulnerability handling capabilities when someone reports a security bug to them,” HackerOne wrote in a blog post that this model stemmed from a gap in “practical guidance in vulnerability coordination.”
The model looks at five areas: organizational, engineering, incentives, communications and analytics. At the organizational level, for instance, the most basic vulnerability coordination requires executive support, whereas the most technical, or expert level, requires dedicated personnel.
“Each vulnerability reported to you isn't necessarily a crisis, but it's something to remind you that code is written by humans, who are flawed, yet we are also great at improving ourselves when motivated and given guidance to do so,” the blog post noted.