In this content, we want to give you an idea of how, and why, we do this.
The NCSC has a team of internal researchers who are experts in common technologies who conduct Vulnerability Research (VR) on a range of technologies and products. This includes the traditional commodity tech that’s ubiquitous across the UK, and very specialised technology only used in a few places.
This in-house research makes us better informed about the security of technologies and the difficulty of finding vulnerabilities in the latest and greatest software products. It allows us to shape our advice, guidance, and risk mitigations for the implementation of new and existing technologies, and our response to a new vulnerability or cyber incident. We work closely with UK government, technology companies, and the wider public to share and implement these insights and strategies.
Developing deep understanding and expertise of technologies, security mitigations and products takes time. Technology growth is constant, ever complex, security is improving, and thus VR is getting harder. This means the NCSC demand for VR continues to grow.
Introducing the NCSC’s Vulnerability Research Initiative
The Vulnerability Research Initiative (VRI) is NCSC’s programme of research with external partners on VR.
The VRI’s mission is to strengthen the UK’s ability to carry out VR. We work with the best external vulnerability researchers to deliver deep understanding of security on a wide range of the technologies we care about. The external VRI community also supports us in having tools and tradecraft for vulnerability discovery.
We work closely with industry on tasks to understand:
This successful way of working increases NCSC’s capacity to do VR and shares VR expertise across the UK’s VR ecosystem.
The VRI core team includes a mix of technical experts, relationship managers and project managers. The core team are responsible for getting requirements from our VR team to our VRI industry partners, and monitoring the progress, and outputs, of research.
As well as informing our advice and guidance as the National Technical Authority on cyber security, our research allows us to engage with technology vendors to encourage them to fix the bugs we find and build more secure products.
Our Equities Process provides a mechanism through which decisions about disclosure are taken. Read more about the Equities Process operated on behalf of the Government by GCHQ.
In future we want to extend our engagement with experts on particular topics, e.g. application of AI to VR.
If you’d like to contact the team, you can reach us at vri@ncsc.gov.uk. We’d like to know about your VR skillset and areas of expertise.
Our email address will be monitored. However, we cannot guarantee a response. Please do not send full vulnerability reports to this email address.
If you have a vulnerability in a UK government online service you wish to report, please refer to NCSC’s Vulnerability Reporting.
