Attack surface has grown exponentially for many organizations, and with it, their susceptibility to weaknesses. To combat this reality, security teams utilizing crowdsourced security solutions have expanded their program scopes to include more and more of their ever-evolving assets. Notable examples being: Tesla, Netflix, and Atlassian. But as attack surface expands, what happens if scope remains the same?
In their formative stages, many organizations have a limited attack surface — often only one web app or a few subdomains. But as they grow and expand their publicly facing footprint, most fail to grow their security testing programs in step. In crowdsourced security, this opens a gap in coverage and creates grey area for security researchers who identify issues in assets that fall out of scope for the bug bounty program.
At Bugcrowd, we’ve seen an uptick in such situations, and have two solutions that will greatly alleviate stressors to both parties.
- Have an expansive bounty program that includes all assets owned by the organization — providing an inlet for researchers to report and get rewarded for any and all security concerns.
- Run a Vulnerability Disclosure Program (VDP) in conjunction with one’s bug bounty — providing an inlet for researchers to report any and all security concerns they find in the wild. VDPs are open scope by default, allowing researchers to report any security issues identified across the entirety of your attack surface.
Both of these options allow researchers to easily report any/all security vulnerabilities to the organization, which is what our most successful customers agree is necessary to ensure the entire attack surface is being secured. We believe the ideal solution is to offer bounties for all findings in order to encourage more active bug hunting (option 1). Where that’s not tenable, then the following example strongly underscores the imminent need for a VDP (option 2).
Why change now?
Consider for a moment the position of a researcher who identifies a vulnerability in an asset that’s not technically in-scope for a bug bounty program, but still presents a security risk for the organization as a whole. Since the asset is out-of-scope for the bounty program, the researcher will then need to try to find a place to report the issue — but where do they report it to?
Perhaps they look on the website for a disclosure page — but if that doesn’t exist, what are their other options? Some try reaching out via LinkedIn or Twitter — but what happens when those are similarly unresponsive? Security researchers are driven to affect change, and in lieu of getting an actionable response across the board, the only remaining alternative may be attempting social channels in hopes of drawing proper attention to the issue. These situations rarely end well for anyone involved, and could usually be avoided entirely if there had been a proper disclosure program offered by the organization.
Where possible, adding a VDP and expanding the scope of your bug bounty program will reduce submission ambiguity and improve researcher relations. However, if you’re unable to do one or both of these, there are steps you can take today that also help.
- If you currently run a bug bounty program and VDP program separately, make sure to explicitly call out the presence of the VDP on the bug bounty program so researchers know where to submit otherwise out-of-scope findings.
- If you don’t currently run a VDP in conjunction with your bug bounty program, set up a rudimentary VDP at a bare minimum. The most common variant for this is adding a security@ email address and/or a short form on your organization’s main webpage. This way, researchers at least have a place to report any security issues they identify in the wild that affect your organization.
Through all of this, despite the ever-changing landscape, the end goal remains the same — making your organization (and the internet) a safer place for everyone. We’ll always continue to learn and iterate as we feel it benefits the community and the organizations we support. Good luck and happy hunting!