Attack surface has grown exponentially for many organizations, and with it, their susceptibility to weaknesses. To combat this reality, security teams utilizing crowdsourced security solutions have expanded their program scopes to include more and more of their ever-evolving assets. Notable examples being: Tesla, Netflix, and Atlassian. But as attack surface expands, what happens if scope remains the same?
In their formative stages, many organizations have a limited attack surface — often only one web app or a few subdomains. But as they grow and expand their publicly facing footprint, most fail to grow their security testing programs in step. In crowdsourced security, this opens a gap in coverage and creates grey area for security researchers who identify issues in assets that fall out of scope for the bug bounty program.
At Bugcrowd, we’ve seen an uptick in such situations, and have two solutions that will greatly alleviate stressors to both parties.
Both of these options allow researchers to easily report any/all security vulnerabilities to the organization, which is what our most successful customers agree is necessary to ensure the entire attack surface is being secured. We believe the ideal solution is to offer bounties for all findings in order to encourage more active bug hunting (option 1). Where that’s not tenable, then the following example strongly underscores the imminent need for a VDP (option 2).
Consider for a moment the position of a researcher who identifies a vulnerability in an asset that’s not technically in-scope for a bug bounty program, but still presents a security risk for the organization as a whole. Since the asset is out-of-scope for the bounty program, the researcher will then need to try to find a place to report the issue — but where do they report it to?
Perhaps they look on the website for a disclosure page — but if that doesn’t exist, what are their other options? Some try reaching out via LinkedIn or Twitter — but what happens when those are similarly unresponsive? Security researchers are driven to affect change, and in lieu of getting an actionable response across the board, the only remaining alternative may be attempting social channels in hopes of drawing proper attention to the issue. These situations rarely end well for anyone involved, and could usually be avoided entirely if there had been a proper disclosure program offered by the organization.
Where possible, adding a VDP and expanding the scope of your bug bounty program will reduce submission ambiguity and improve researcher relations. However, if you’re unable to do one or both of these, there are steps you can take today that also help.
Through all of this, despite the ever-changing landscape, the end goal remains the same — making your organization (and the internet) a safer place for everyone. We’ll always continue to learn and iterate as we feel it benefits the community and the organizations we support. Good luck and happy hunting!