A case for public support for vulnerability disclosure policies

This paper makes a case for public administrations to give fiscal incentives to companies that have internal processes in place to manage vulnerabilities in their digital environments. It presents an exploration of the importance of implementing a vulnerability disclosure policy (VDP) and the potential benefits of government fiscal contributions to companies adopting such policies. It emphasises the significance of fostering a culture of transparency, collaboration and enhanced cyber security through responsible vulnerability disclosure practices. By incentivising organisations to adopt a VDP, governments will strengthen threat detection and response capabilities, foster public-private partnerships, promote national and international cyber resilience and ultimately achieve economic and societal benefits. By providing financial support, governments could transform cyber security departments from cost centres to profit centres that would attract the interest of the management and turn in more resource allocation. In some cases, governments use legislation to push top-down the adoption of VDPs. This approach is normally adopted for sectors that are considered critical for the society, but it seems impractical to replicate for all business and organisations that are not critical simply because the government would not have the resources to enforce such a measure. Thousands of companies and organisations that are not critical could still benefit from adopting a VDP, making society as a whole more resilient. This paper argues that the right approach towards VDP consists in combining the ‘stick’ of legislative obligations with the ‘carrot’ of fiscal and financial support to companies and organisations to generate a large-scale bottom-up support for VDP adoption. Fiscal or financial support from public institutions to private organisations that have procedures in place to manage vulnerabilities could be a game changer and transform cyber security departments into profit centres able to attract more private resources internal to the company. Another element that could help wider adoption of VDP would be a legal shield for both companies that adopt a VDP and cyber security researchers that report vulnerabilities through this system. To strengthen the resilience of a digital society, it is important that laws on computer crime distinguish between someone that hacks into a computer system with malicious intent and someone that does it to identify weaknesses and report them to the owner of the system. Cyber security researchers that act in good faith provide an invaluable positive contribution to cyber security and must not feel discouraged or intimidated by legislations or prosecutors.