In today’s global economy, more and more businesses are making sound cybersecurity practices a priority.

But it’s no longer enough to embrace these practices at your business alone- ensuring the companies you work with as vendors also have the most secure Internet practices is just as important.

The challenge? Ask any business in Silicon Valley and they’ll tell you measuring and mitigating vendor risk is as cumbersome as it is crucial.

It’s time to change that. That’s why today Uber’s cybersecurity team is joining with top tech companies to launch the first-ever Vendor Security Alliance (VSA), a coalition to enable businesses to streamline their vetting process for vendors’ cybersecurity risks.

The VSA will bring together the best and brightest from leading tech companies such as Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, and Twitter. This marks the first time the industry is uniting to solve vendor compliance challenges and freely share its work with other companies.

Together, we’ll create cybersecurity standards that will help protect companies -big and small, new and old – from risks in a way that builds trust and accountability in the vendor community.


In September, experts from nine VSA companies will build a questionnaire to measure vendor cybersecurity risk, covering areas such as policies, procedures, privacy, vulnerability management and data security. In October, VSA will make this first questionnaire publicly available for free. It will be used to determine the quality of a vendor’s cybersecurity practices, and to benchmark current practices inside the business.

Importantly, the VSA scoring process will help standardize acceptable cybersecurity practices for companies. No more reinventing the wheel company by company, vendor by vendor.

Once complete, that questionnaire is evaluated, audited, and scored by an independent third party auditor working alongside the VSA. Points will be granted for sound practices and taken away for practices that could increase security risks. Vendors can then use that score when seeking to offer their services to any business in the VSA, without the need for further audits. Each year the VSA will develop a new questionnaire, which will continuously raise the bar for vendors and hold them accountable for increasing cybersecurity standards.


Sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk. Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors’ security practices.

The VSA will also enable companies to save time and money through the use of a standardized cybersecurity evaluation with real-time answers. The current way of evaluating cybersecurity risks and approving vendors can take several months – the new VSA process cuts the process down to minutes.

When more businesses have stronger cybersecurity standards, the Internet is safer for everyone. To learn more about joining the VSA or to download the questionnaire starting October 1, go here.

Check out Square’s blog here and Atlassian’s blog here.