SAN FRANCISCO--(BUSINESS WIRE)--HackerOne, the vulnerability management and bug bounty platform, today released a new tool designed to help organizations improve the way they respond to reports about vulnerabilities in their software. The Vulnerability Coordination Maturity Model (VCMM) was created as a guide that companies can use to learn what the best practices are for vulnerability response, measure how they compare to others, and take actions that will help them address issues before bad actors can exploit them. Anyone can assess their vulnerability coordination maturity by going to HackerOne and answering a set of questions.
The VCMM is organized around five capability areas that determine an organization’s maturity level with respect to vulnerability response, including whether the company is organizationally set up to receive reports by having either a “security@company.com” email address, or via a form, and what actions the organization takes when a report is made. Historically, security researchers who found vulnerabilities either couldn’t find a way to report a security issue to a company, or if they reported issues, may have been threatened with legal action. Armed with the VCMM, organizations have a free, practical resource to aid in establishing and improving the response to vulnerability reports and the coordination with security researchers, customers and partners.
“No software is immune to bugs; for most organizations it’s not a matter of if they’ll have an external hacker reporting security vulnerabilities, but when,” said Katie Moussouris, chief policy officer, HackerOne. “This maturity model shows how to build muscles and reflexes in vulnerability coordination to improve the security of an organization’s software, and the outcome for all parties when vulnerabilities are disclosed."
About HackerOne
HackerOne is the leading vulnerability disclosure and bug bounty platform connecting businesses with the world's largest community of highly-qualified security researchers. More than 300 organizations including Yahoo!, Adobe, Slack, Square and Twitter use HackerOne to hear about their critical software vulnerabilities before criminals can exploit them. HackerOne is headquartered in San Francisco with offices in the Netherlands. For more information visit www.hackerone.com.