The UK’s National Cyber Security Centre (NCSC) is extending its vulnerability research capabilities by partnering with external partners rather than relying entirely on its own analysts.
Dubbed the Vulnerability Research Initiative (VRI), the new initiative builds on existing external relationships and has been largely welcomed by the industry.
The agency explained it already works closely with the UK government, technology companies, and wider public to discover flaws, provide advice on staying safe online, and respond to cyber incidents.
The Vulnerability Research Initiative (VRI), however, is a more collaborative affair that brings in specialist cybersecurity expertise.
“The VRI’s mission is to strengthen the UK’s ability to carry out VR,” the NCSC said in a statement announcing the scheme.
“We work with the best external vulnerability researchers to deliver deep understanding of security on a wide range of the technologies we care about. The external VRI community also supports us in having tools and tradecraft for vulnerability discovery,” it added.
The agency also outlined who is in the core VRI team, including technical experts, relationship managers, and project managers. Additional details, including what external partners are involved, remain vague.
Kevin Robertson, CTO of Acumen Cyber, said the project “sounds promising in theory” but claimed the NCSC has a “track record of largely ineffective and self-serving programs [and] it could end up as another flop that delivers little real value”.
Others in the industry were more positive about the announcement, however.
Kev Breen, senior director of cyber threat research at Immersive, welcomed the decision as a proactive step to identifying and tackling security threats.
“There is a great deal of capability in the public domain, especially in more niche areas of research,” he said.
“It is not practical for the NCSC to maintain the necessary skills, time, and resources to effectively hunt for bugs across all of these domains.
“Extending the VRI to include the wider community, via invitation or application, is an excellent way to broaden that knowledge base.”
Will the NCSC scheme go far enough?
Notably, Breen warned that the lack of financial reward, as seen in a bug bounty program, may reduce the number of researchers willing to get involved.
Google, for example, offers between $100 and $31,337 for a qualifying bug, according to Geeks for Geeks.
Microsoft, meanwhile, has several bug bounty programs, offering up to $300,000 for vulnerabilities found in Azure or up to $30,000 for issues in Windows Insider Preview as just two examples.
On the hardware side, Intel offers between $500 and $100,000 for valid reports, depending on the risk level and nature of the bug.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The NCSC just urged enterprises to ditch Windows 10 – here’s what you need to know
- The NCSC wants developers to get serious on software security
- NCSC expert urges businesses to follow geopolitics as defensive strategy
-
Snowflake names Chris Niederman as new channel chiefNews Chris Niederman joins the business from AWS, where he led the cloud giant’s global partner strategy and industry transformation initiatives
-
IT leaders don’t trust AI agents yet – and they’re missing out on huge financial gainsNews While the hype around agentic AI is building, trust in fully autonomous agents is proving to be a major stumbling block for enterprise IT leaders.
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
