Security is a team sport. The information held by fellow security practitioners and researchers has the power to affect how and when we respond to adversarial threats. The sooner this information can be shared, the sooner it can be actioned for the benefit of all. To better facilitate this exchange, Bugcrowd is excited to announce two new features designed to make it easier than ever to share valid program submissions as well as request and grant disclosure of resolved vulnerabilities: in-platform Coordinated Disclosure and CrowdStream.
What is Coordinated Disclosure?
Disclosure refers to both the submission of a vulnerability from hacker to company, as well as the presentation of such, by either party, to the general public (to raise awareness, stop the spread, etc.). For the purposes of this blog, we’ll focus on the latter. Bugcrowd recommends all public programs (at minimum) take part in full or limited Coordinated Vulnerability Disclosure (CVD), which means the organization will consider if, how, and when a given resolved vulnerability can be discussed.
Where possible, CVDs allow the broader security community to take preventative measures, and educates security researchers and other practitioners on how to avoid or more rapidly identify similar threats. Most importantly, this approach takes vulnerabilities out of the “shame zone” and into the light of human error — where we can learn to find and fix faster, together.
Previously, researchers would request disclosure from the program owner via Bugcrowd’s Researcher Success team, who would coordinate and intermediate the response between the two parties. Starting today, researchers will be able to indicate in-platform if they would like to request disclosure. This notification will go directly to the program admins and owners, who will initiate the subsequent conversation. If mutually agreed, the vulnerability may be disclosed in part or in full.
What’s the impact?
For program admins and owners without Coordinated Disclosure:
These programs will not experience any change, though it should be noted that researchers may prefer to spend time on programs where coordinated disclosure is enabled. Should you decide to opt into this program, toggle the coordinated disclosure option in your program brief as shown below:
For program admins and owners with coordinated disclosure already enabled:
Program admins and owners will be able to accept, reject, add a summary, and assign limited or full disclosure status to incoming disclosure requests, as depicted below and detailed in full in our product documentation:
Ease of access for researchers means program admins and owners who have opted into coordinated disclosure may receive a higher volume of requests from researchers than previously.
Researchers will see a toggle on each submission, enabling them to request disclosure in one click. They will also be able to add a summary, and request full or limited disclosure before submitting, as shown below. Researchers can read more about their options in requesting coordinated disclosure in the product docs.
Today, Bugcrowd also launches CrowdStream alongside in-platform Coordinated Disclosure. CrowdStream is a running feed of accepted submissions and public disclosures on the programs for which it has been enabled. Participation in CrowdStream helps organizations better signal to new or existing researchers the health and activity level of a given program, as well as alert industry peers to relevant vulnerability trends. Customers can learn more about CrowdStream settings here, while researchers can do the same here.
There are three unique views for CrowdStream, which are central to understanding how it works:
The public view is accessible by the general public, and includes CVDs as well as submissions to public programs that have CrowdStream enabled. Information about bounty amount, submission severity, and the url location of the target will be displayed (as well as researcher handle and reward amount, should they choose to have this information displayed).
If a program opts into CrowdStream they will also benefit from individual program views, which are accessible only by participating researchers on that program. For private programs, this feature is most useful for maintaining engagement of invited researchers, who may be deciding how to divide their time amongst a variety of active programs.
Finally, the researcher view captures individual researcher activity across all programs, and may be set to public or private. If public, the feed will mirror what is viewable at the public-view level, for all submissions made by that person. The below image shows how to select profile and submission detail visibility.
How to activate CrowdStream and/or Coordinated Disclosure:
For customers interested in activating CrowdStream and/or Coordinated Disclosure, you can toggle the options directly in your program brief, or contact your Account Manager for help.
We hope you’ll take advantage of these two important updates to enable more collaboration and information sharing between researchers and program owners. If you have any questions about how to navigate each, or the potential impact to your program, stakeholders, and researchers, contact your Account Manager today!