NCSC calls on private researchers to help bolster critical infrastructure

But don’t expect a bug bounty

The UK's National Cyber Security Centre (NCSC) has announced a new Vulnerability Research Initiative (VRI) designed to bring together public, private sector and individual.

Announced on Tuesday, the VRI emphasises the role of collaboration and knowledge sharing in bolstering the UK’s cyber defences.

However, the lack of any financial incentives may limit the extent of private sector or individual participation.

The NCSC says it wants to increase collaboration with external experts to improve its in-house abilities to find and fix vulnerabilities within critical infrastructure, government and businesses.

"The VRI's mission is to strengthen the UK's ability to carry out VR,” the announcement says. “We work with the best external vulnerability researchers to deliver a deep understanding of security on a wide range of technologies we care about. "

A core team of experts will identify areas of interest and communicate them to external researchers.

The external researchers will then assist the VRI team to understand vulnerabilities in particular products and services and potential mitigations. As well as information about bugs, the NCSC is keen that researchers share their research methodology and the tools they use to identify vulnerabilities.

The NCSC says it will use this information to inform its guidance to UK organisations, as well as encouraging technology vendors to patch their products in a timely fashion.

Information disclosed to the cyber agency will be handled via the existing GCHQ Equities Process, through which decisions about how to handle and communicate information about technology vulnerabilities are made.

Kev Breen, senior director of cyber threat research at Immersive, welcomed the announcement as a way of boosting the capabilities of the NCSC. He noted that it is not practical for the agency to maintain the necessary skills and resources to hunt for bugs across all domains

“There is a great deal of capability in the public domain, especially in more niche areas of research,” said Breen.

“Extending the VRI to include the wider community, via invitation or application, is an excellent way to broaden that knowledge base.”

However, Breen flagged the lack of a financial incentive as a potential sticking point. “This may limit the number of individuals willing to participate, as there is little incentive to contribute when they could be compensated for similar work through existing bug bounty schemes.”

At the end of last year, the NCSC warned that cyber threats facing the UK are “widely underestimated” as the world has become increasingly unstable.

At the time, government minister Pat McFadden, said: “We must work alongside industry to meet the increasingly sophisticated challenges we face and make the UK the safest place to live and work online.”