The UK’s National Cyber Security Centre (NCSC) has lifted the lid on a Vulnerability Research Initiative (VRI) programme designed to engage the private sector on vulnerability research and discovery for the benefit of wider society.
The NCSC already runs a team of internal research experts who spend their days probing a wide range of technologies and products – anything from ubiquitous commodity tech used by consumers, to specialised operational devices used in only a few places.
This in-house capability has made the cyber agency much better informed about the security of commonly deployed technology – and how hard it can be to find vulnerabilities in software products – and helps inform down-the-line advice, guidance and risk mitigations, as well as responses to major disclosure incidents such as Citrix Bleed or Log4Shell.
However, this is a lengthy and involved process, and as the pace of technology development continues to ramp up both in complexity and volume, demand for vulnerability research is soaring.
Enter the VRI, a scheme through which the NCSC will work with external cyber researchers and ethical hackers to expand access to the tools and tradecraft available for vulnerability discovery, and enhance understanding of the security of the technology that daily life in the UK depends on.
Among other things, the VRI aims to try to better understand the vulnerabilities present in a technology or product, what mitigations might be needed to fix them, how researchers go about conducting their research, and the tooling they use to enable it. The NCSC said this would increase its own vulnerability research capacity and share expertise across the wider ecosystem.
Ultimately, the programme’s output will be used to inform future advice and guidance delivered by the NCSC as the UK’s national technical authority on cyber security, to better engage with the supplier community to encourage them to build more secure products in the first place and to fix bugs in existing ones.
Immersive senior director of cyber threat research, Kev Breen, welcomed the NCSC’s decision to try to extend its vulnerability research capabilities: “There is a great deal of capability in the public domain, especially in more niche areas of research. It is not practical for the NCSC to maintain the necessary skills, time and resources to effectively hunt for bugs across all of these domains. Extending the VRI to include the wider community, via invitation or application, is an excellent way to broaden that knowledge base.”
Incentivising researchers
Breen noted, however, that the lack of any associated bug bounties may limit the number of individuals willing to participate in the programme when they could be compensated for conducting similar work through existing schemes.
Kevin Robertson, chief technology officer at Acumen Cyber, agreed: “Cyber is often described as a community sport. However, independent researchers typically have little incentive to collaborate with bodies like the NCSC, as they stand to gain far more recognition and impact by publishing their findings themselves, rather than handing them over to a government agency. It is essential that this does not become yet another example of wasted potential in a field where independent action often proves more meaningful.”
The NCSC said that it was keen to hear from experts in several topics – particularly the potential application of artificial intelligence (AI) to vulnerability research – and is encouraging them to get in touch. More details of the programme, including information on the overarching equities process that governs how newly found vulnerabilities are handled and disclosed, and by whom, are available here.
