Too often we see security researchers, whitehat hackers, IT leaders, academics, and journalists reach out to organizations after discovering a vulnerability; only to find that there is no obvious channel to receive such report. With hundreds of vulnerabilities found daily, it’s crucial to provide an obvious and easy way for external parties to report these vulnerabilities.
Today, security conscious companies use vulnerability disclosure programs to be proactive about cybersecurity. The reality is that only 9% of the Fortune 500 run vulnerability disclosure programs. Cybersecurity vulnerabilities are inevitable, and data breaches can bring real risks to organizations.Only by actively looking for and remediating these vulnerabilities can companies give their customers peace of mind.
But as security leaders and practitioners continue to grapple with the challenges of a growing skills shortage and expanding attack surfaces, vulnerability disclosure programs will become the norm. And with external pressure to demonstrate a strong security posture mounting, we will be expected to work with external security researchers at-scale. Vulnerability disclosure programs are becoming expected practice, with positive pressure on the model from legislation and standards, industry peers, the consumer, and good-faith hackers. As adoption grows it’s incumbent to ensure companies are prepared to receive vulnerability data from external parties with clear policy, robust communication channels, and backend processes to resolve issues quickly.
But what is VDP?
A Vulnerability Disclosure Program (VDP) is like a “neighborhood watch” for your organization’s internet assets – encouraging people to report something if they see something. It’s a set of guidelines that whitehat hackers can follow to report a vulnerability to an organization in good faith. It provides a framework for the global community of ethical hackers to provide feedback to organizations.
Every vulnerability disclosure program is different and should be tailored to the specific threat profile, regulation requirements, and assets of your enterprise. However, all vulnerability disclosure programs share three primary components: channel, policy, and process.
So why does every company need a VDP? There are three main reasons:
- Demonstrates security maturity
A VDP demonstrates a company’s commitment to protecting its digital assets and responding to known risks. Not only that, but it builds confidence and trust in the brand.
- Formalized security feedback
Having a VDP in place provides the proper framework for engaging and maintaining a positive relationship with the security researcher community. It establishes and promotes more positive cooperation between internal and external parties when pertaining to vulnerabilities.
- Meet compliance requirements
It aligns cybersecurity programs with best practices, as defined by the US Government, NIST, DOJ, and others.
Bugcrowd’s Vulnerability Disclosure Programs provide a channel and Safe Harbor for security researchers to submit security issues against any of an organization’s publicly facing assets. These can range from web applications to APIs, to mobile apps, IoT devices, and more.
For Safe Harbor, Disclose.io provides an open source framework that expands on the work done by Bugcrowd and CipherLaw’s Open Source Vulnerability Disclosure Framework, Amit Elazari’s #legalbugbounty, and Dropbox to protect security researchers. Establishing clear language before launching a program has a two-fold benefit: organizations feel safe and avoid situations such as extortion or reputational damage, while security researchers who are acting in good faith can report bugs without facing legal repercussions.
For more information on why every company should have a VDP, listen to this on-demand webinar with Bugcrowd Founder and CTO Casey Ellis and CSO David Baker as they discuss the impact VDP is having on the industry and why implementing a VDP is no longer a nice-to-have, but a necessity.