Luta Security Guides Creation of First UK Government Vulnerability Coordination Pilot

March 15, 2017

The UK government announced today at the CYBERUK Conference that its new National Cyber Security Centre (NCSC) is partnering with Luta Security, Inc. to invite a select group of security practitioners in the community to participate in the historic first UK government pilot for vulnerability coordination.

The pilot is a formalization of previous ad hoc UK government vulnerability coordination efforts, with the goal of designing a mature process to receive, triage, and remediate ongoing vulnerability disclosures from the security community. This is the first formal vulnerability coordination pilot in the history of the UK government.

‘Vulnerabilities in deployed stuff are always going to be found so having a mature vulnerability handling process is really important for any organisation. This vulnerability co-ordination pilot will help the NCSC understand what characteristics are important in such a process and make it easier for people to tell us about potential vulnerabilities in our own services. We’ll be sharing all we learn to help others protect themselves, while we scale up what works for the UK public sector.’– Dr. Ian Levy, Technical Director, NCSC

Registration for a group of invited participants will begin soon, and the pilot will run against selected public facing web targets over the next few months. Critical and sensitive data and services will not be in scope in the initial pilot program. 

The NCSC Vulnerability Coordination Pilot is being led by the NCSC, under the advisory services of Luta Security, Inc.

“The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security. We are a part of GCHQ. The NCSC brings together and replaces CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure(CPNI).” – NCSC About Us

Luta Security is the first and only firm to offer expert business solutions architecture consulting to create mature, robust vulnerability coordination programs, based on ISO 29147 Vulnerability disclosure , ISO 30111 Vulnerability handling processes , and the Vulnerability Coordination Maturity Model (VCMM), the latter created by Luta Security’s founder and  CEO, Katie Moussouris.

By providing a legal avenue for the coordinated disclosure of security vulnerabilities, the NCSC Vulnerability Coordination Pilot is an opportunity to learn by doing, improving and maturing government vulnerability coordination and handling processes, while contributing to the security of selected public facing NCSC web targets. The results of the pilot, along with some valuable lessons learned, will be announced in the future.

“Vulnerability Coordination is a key component of running more secure systems and services. More than ever, governments and private companies need to enlist the help of security researchers who want to point out security holes to get them fixed before they are exploited. Luta Security is thrilled to help the UK government with this historic Vulnerability Coordination pilot program.” – Katie Moussouris, Founder and CEO, Luta Security