Spotlight on coordinated disclosure

This ISP Spotlight guest blog focusses on coordinated disclosure. It is by Barry Brailey, Chair of the New Zealand Internet Task Force which wrote New Zealand's only guidelines on coordinated disclosure back in 2013.

All software has vulnerabilities. The larger your code base, the more likely your software has bugs. That's why projects like the Open Web Application Security Project (OWASP) exist. They highlight the 10 most common web application bugs that people code, and train people not to do them.

Coordinated disclosure is a practice that has grown out of the early 2000s in the US. As websites and online services have grown and become more and more important parts of our daily and economic life, we need to have processes to make our systems more secure and reduce vulnerabilities. Security teams and consultants help IT departments through multiple steps, tools and processes to make software that is secure, robust and useful.

Coordinated disclosure is one of these tools. It's a way for companies to get feedback from their customers and security researchers about security vulnerabilities in the company's services. Making it easy for people to tell you when they find vulnerabilities is common sense, it belies a certain level of security maturity and helps organisations secure their systems.

Coordinated disclosure is also important for researchers. No-one likes learning about vulnerabilities in their systems on the news or on twitter. Coordinated disclosure creates clear rules of the road for the researchers as well as companies. We produced our Coordinated Disclosure guidelines because we, as security professionals, felt that New Zealand was slipping behind the rest of the world when it came to making it easy for security researchers to tell ISPs, banks and other important companies about vulnerabilities in their systems.

We think it's great to see InternetNZ including coordinated disclosure in the ISP Spotlight. ISPs are central to how New Zealanders access the Internet. It's important that they have secure, robust systems and networks and any 21st century ISP should be implementing a coordinated disclosure policy.

It's encouraging to see Spark and it's brands (Bigpipe and Skinny) start to make it easier to security researchers by clearly stating on their websites that they want to hear about security vulnerabilities.

I'm particularly pleased with Vocus and its brands Flip, Orcon and Slingshot. They've linked to our guidelines (always appreciated), the email address for their network security team is on their website and, to top it all off, they include information about PGP and how to communicate with them securely.

Well done Vocus and well done InternetNZ for shining a light on coordinated disclosure practices in our ISPs.

If you want to know more about coordinated disclosure you can download the NZITF guidelines or email the NZITF's disclosure team at


Coordinated disclosure is one of the issues that ISPs are rated on in the ISP Spotlight website. See more here:
ISP Spotlight