Increasing levels of cyberthreat are impacting media organisations. One successful pre-emptive approach to mitigation is the establishment of a responsible vulnerability disclosure programme or policy.
This recommendation provides cybersecurity guidance for media companies on how to establish vulnerability disclosure policies and programmes. It also proposes an example policy which can be customized to the organisation’s own policies, processes and legal framework(s).
By detailing the permitted scope of any testing and the process by which bugs and vulnerabilities can be reported it is hoped that the security research community will be encouraged to investigate and disclose issues responsibly before they can be exploited.
This policy does not preclude, or make any specific recommendations regarding the use of brokers to administer responsible disclosure programmes or reward programmes (‘bug bounty’ programmes) and these may also be worth considering, especially in lack of skilled security personnel.