Author
Abstract
This paper makes a case for public administrations to give fiscal incentives to companies that have internal processes in place to manage vulnerabilities in their digital environments. It presents an exploration of the importance of implementing a vulnerability disclosure policy (VDP) and the potential benefits of government fiscal contributions to companies adopting such policies. It emphasises the significance of fostering a culture of transparency, collaboration and enhanced cyber security through responsible vulnerability disclosure practices. By incentivising organisations to adopt a VDP, governments will strengthen threat detection and response capabilities, foster public-private partnerships, promote national and international cyber resilience and ultimately achieve economic and societal benefits. By providing financial support, governments could transform cyber security departments from cost centres to profit centres that would attract the interest of the management and turn in more resource allocation. In some cases, governments use legislation to push top-down the adoption of VDPs. This approach is normally adopted for sectors that are considered critical for the society, but it seems impractical to replicate for all business and organisations that are not critical simply because the government would not have the resources to enforce such a measure. Thousands of companies and organisations that are not critical could still benefit from adopting a VDP, making society as a whole more resilient. This paper argues that the right approach towards VDP consists in combining the ‘stick’ of legislative obligations with the ‘carrot’ of fiscal and financial support to companies and organisations to generate a large-scale bottom-up support for VDP adoption. Fiscal or financial support from public institutions to private organisations that have procedures in place to manage vulnerabilities could be a game changer and transform cyber security departments into profit centres able to attract more private resources internal to the company. Another element that could help wider adoption of VDP would be a legal shield for both companies that adopt a VDP and cyber security researchers that report vulnerabilities through this system. To strengthen the resilience of a digital society, it is important that laws on computer crime distinguish between someone that hacks into a computer system with malicious intent and someone that does it to identify weaknesses and report them to the owner of the system. Cyber security researchers that act in good faith provide an invaluable positive contribution to cyber security and must not feel discouraged or intimidated by legislations or prosecutors.
Suggested Citation
Bordone, Francesco, 2023.
"A case for public support for vulnerability disclosure policies,"
Cyber Security: A Peer-Reviewed Journal, Henry Stewart Publications, vol. 7(2), pages 163-171, December.
Handle:
RePEc:aza:csj000:y:2023:v:7:i:2:p:163-171
Download full text from publisher
As the access to this document is restricted, you may want to search for a different version of it.
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:aza:csj000:y:2023:v:7:i:2:p:163-171. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Henry Stewart Talks (email available below). General contact details of provider: .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.