Here at Bugcrowd, we’re passionate about the importance of Vulnerability Disclosure Programs (VDPs). Vulnerabilities are inevitable in software development; it’s how an organization responds to these vulnerabilities that makes a difference. VDPs provide a secure channel for altruistic, externally-sourced security feedback, and per Bugcrowd’s own research, the vast majority of hackers won’t report a vulnerability without a clear, safe way to do so.
Over the years, we’ve regularly revisited our approach to VDPs to ensure we’re at the forefront of customer and hacker needs. For example, we previously removed kudos points from VDPs to better serve both audiences. For hackers, this shift is aligned with the “see something, say something” ethos, ensuring vulnerabilities are handled with discretion and within a secure environment. For customers, it removed a negative incentive that points had created. We’d become aware of hackers selling their VDP findings in private marketplaces to other hackers for the points benefit, exposing findings about customer assets more widely than they should have been.
Now, we’re taking the next step in the VDP ecosystem’s evolution by democratizing VDPs for all. For some organizations, VDPs are mandated by regulation and standards, and policies must be present on their website to meet these requirements. But many of them do not have access to a simple but guided method to publish a disclosure policy alongside a vulnerability portal on their corporate website, and lack the internal experience to build their own. To make VDPs more accessible to those customers who are focused strictly on meeting such requirements, Bugcrowd is excited to announce a new, free-to-use offering—VDP Compliance.
What is VDP Compliance?
VDP Compliance is a continuous engagement available on the Bugcrowd Platform that lets anybody on the internet submit reports about potential vulnerabilities they see in public-facing digital assets via a Bugcrowd-powered embedded form. Your own security team can then validate, prioritize, and remediate vulnerabilities at its preferred pace.
For organizations focusing on compliance that have internal resources in place for self-managed triage, reporting, and support, it’s the perfect solution—and it’s free to use! Please see this page for details about the VDP Compliance offering.
Our goal is to give everyone an equal opportunity to get the benefits of receiving findings from the security community. Bugcrowd has spent years enabling people from all cultures, backgrounds, and technical experience to participate in engagements on our platform, as reflected by community-driven efforts like the Vulnerability Rating Taxonomy (VRT). With the introduction of VDP Compliance, we’re helping more organizations access that growing, vibrant community.
The key benefits of a VDP
VDPs are often described as the Internet’s “neighborhood watch.” In the same way that neighborhood watches rely on volunteers to monitor their communities for suspicious activity and to report incidents to the police when warranted, VDPs encourage anyone on the internet to watch out for and report vulnerabilities for the benefit of all.
Some of the many benefits organizations experience after implementing a VDP include:
- Improved security transparency and customer confidence
- Compliance with regulations and mandates
- Reduced risk
- Improved security ROI
- Accelerated digital transformation
- Ability to make better decisions on security initiatives
- Enhanced reputation for security
By the way, just because VDPs don’t incentivize hackers to submit vulnerabilities, that doesn’t mean organizations should expect to receive only low-impact submissions. 87% of organizations receive at least one P1 (critical) vulnerability through their VDP.
Get started with VDP Compliance
VDPs are a must for compliance and establish a baseline for cybersecurity best practices. We’re proud to offer VDP Compliance to all customers, free of charge, as part of our commitment to help organizations around the world build a stronger security posture.
