Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?

Cyber crime concept image showing hacker typing on keyboard in dimly-lit room with tablet pictured on desk.

(Image credit: Getty Images)

The UK’s National Cyber Security Centre (NCSC) is extending its vulnerability research capabilities by partnering with external partners rather than relying entirely on its own analysts.

Dubbed the Vulnerability Research Initiative (VRI), the new initiative builds on existing external relationships and has been largely welcomed by the industry.

The agency explained it already works closely with the UK government, technology companies, and wider public to discover flaws, provide advice on staying safe online, and respond to cyber incidents.

The Vulnerability Research Initiative (VRI), however, is a more collaborative affair that brings in specialist cybersecurity expertise.

“The VRI’s mission is to strengthen the UK’s ability to carry out VR,” the NCSC said in a statement announcing the scheme.

“We work with the best external vulnerability researchers to deliver deep understanding of security on a wide range of the technologies we care about. The external VRI community also supports us in having tools and tradecraft for vulnerability discovery,” it added.

The agency also outlined who is in the core VRI team, including technical experts, relationship managers, and project managers. Additional details, including what external partners are involved, remain vague.

Kevin Robertson, CTO of Acumen Cyber, said the project “sounds promising in theory” but claimed the NCSC has a “track record of largely ineffective and self-serving programs [and] it could end up as another flop that delivers little real value”.

Others in the industry were more positive about the announcement, however.

Kev Breen, senior director of cyber threat research at Immersive, welcomed the decision as a proactive step to identifying and tackling security threats.

“There is a great deal of capability in the public domain, especially in more niche areas of research,” he said.

“It is not practical for the NCSC to maintain the necessary skills, time, and resources to effectively hunt for bugs across all of these domains.

“Extending the VRI to include the wider community, via invitation or application, is an excellent way to broaden that knowledge base.”

Will the NCSC scheme go far enough?

Notably, Breen warned that the lack of financial reward, as seen in a bug bounty program, may reduce the number of researchers willing to get involved.

Google, for example, offers between $100 and $31,337 for a qualifying bug, according to Geeks for Geeks.

Microsoft, meanwhile, has several bug bounty programs, offering up to $300,000 for vulnerabilities found in Azure or up to $30,000 for issues in Windows Insider Preview as just two examples.

On the hardware side, Intel offers between $500 and $100,000 for valid reports, depending on the risk level and nature of the bug.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.