The EBU has published a pair of Recommendations that aim to help identify and address cybersecurity vulnerabilities. R 160 sets out a procedure to establish mutually beneficial communication between a media company and the vendor of a product or service in which a vulnerability has been detected. R 161 provides guidance on setting up a responsible vulnerability disclosure programme.
Both documents were developed within the EBU's Media Cybersecurity group.
A responsible vulnerability disclosure programme (RVDP) is the means by which a company can have bugs identified by ethical hackers, sometimes known as "white hats". An RVDP defines what types of vulnerability are rewarded, how to disclose them to the company and what rewards are offered. It promotes clarity around a company's security policies.
Such is the popularity of RVDPs and the so-called "bug bounties" they offer to ethical hackers, that a whole ecosystem of brokers has emerged in the cybersecurity industry. While these are an option for public service media organizations, an internal programme and non-financial rewards may also be considered. The overall aim is to outsource part of a company's continuous vulnerability assessment activities.
EBU Members that have an RVDP in place include BBC, VRT and NPO. EBU R 161 provides advice on establishing an RVDP. (See page 5 of issue 40 of tech-i magazine for more information on responsible disclosure.)
Complementing R 161 is another document that recommends a procedure to follow when a critical vulnerability has been identified in a given vendor's product or service. The four-step procedure, set out in EBU R 160, is designed to allow enough time for media system vendors to respond to a media company's disclosure.
The overall goal is to foster constructive dialogue between vendors and broadcasters, leading to a more secure media industry. It is anticipated that EBU Members and other media companies who inform a vendor about a vulnerability will indicate that they are doing so in accordance with the procedure set out in R 160. This will provide clarity for all parties.