Starting June 1st at 17:00 Pacific Time (UTC-7), points on VDPs will be disabled. If you have already obtained points on VDPs, they will not disappear.
Vulnerability Disclosure: It’s very important
A vulnerability disclosure policy sets the rules of engagement for researchers to identify and report security vulnerabilities. When researchers find vulnerabilities, they often take the step to report them to the companies so they can be fixed and keep end-users protected. Most companies want to receive such reports through internally-run security programs or external platforms such as Bugcrowd.
A vulnerability disclosure program (VDP) is a structured way for a company to accept these reports and an important first step to having an active security presence on the Internet. If you find a vulnerability on a company’s Internet-facing assets and want to report it to that company, a VDP is the way to go.
Points on VDPs
VDPs share many of the same platform services as our Bug Bounty programs. This includes our gamification service that we use to incentivize activity on our Bug Bounty programs. Kudos points are a component of the gamification service and are also shared. A common misunderstanding among some researchers is that kudos points are a method for getting invitations to private programs, and because of this, some VDP researcher activity has been focused on acquiring points and not necessarily on reporting high impact bugs for disclosure.
We want to clarify that points are not the driver for getting invited to private programs. There are a number of different factors inside CrowdMatch that drive private program invitations, but at a summary level, private program invitations are for researchers who have demonstrated competency in submitting high impact bugs and match the skills and trust requirements of a particular program. This is the case with submissions for VDPs as well as Bug Bounty and Pen Test programs. There might be some correlation because more points are rewarded for higher impact bugs, but other criteria are used to evaluate researchers for private programs.
In the past, Bugcrowd has rolled out private VDPs since researchers hungry for points swarm the public VDPs and overwhelm them. Also, because duplicates were assigned points, some researchers submit known duplicates in order to obtain points. In the end, programs get a lot of activity with no benefit to the program and no benefit to anyone, including the researcher.
In order to clarify the purpose of a VDP, Bugcrowd will be eliminating points from them. We believe this will avoid confusion for all parties. It is our goal to provide a safe, low-noise approach to VDPs.
As a researcher, why should I participate in VDPs?
First, if you believe that you have found a security vulnerability, and you are trying to protect users by identifying it for a company so as to help in getting it fixed, VDPs are for you. If a program has a VDP and properly adheres to safe harbour provisions, you’re safe to report any findings to them.
Second, if the program adheres to Coordinated Disclosure guidelines, and you believe that a public disclosure is possible, it may be worth reporting a vulnerability to a VDP. Public disclosures are always good for your reputation as a researcher.
Finally, reporting first-to-find, priority one (P1) or priority two (P2) submissions on Bugcrowd will increase your chances of receiving private program invitations, regardless of whether or not you receive magical Internet points for them.
Recap
Points on VDPs have led to unintended consequences. The points have caused:
- A large number of duplicate abuses
- VDPs going private or being paused
Again, a common misperception among researchers is that the more points one has the more private invitations one receives. This is not true. The fastest way to receive private invites is by making high priority submissions.
Starting Tuesday, June 1st at 17:00 Pacific Time (UTC-7), points on VDPs will be disabled. If you have already obtained points on VDPs, they will not disappear.
