Vulnerability Disclosure Programs (VDPs) help organizations reduce risk across publicly-accessible assets by relying on the voluntary contributions of end-users, customers, and good-faith security researchers. But many organizations still have questions about how (and why) they should incorporate these programs into existing security practices. To help security teams better define, and defend the value of VDPs, Bugcrowd launched the 2020 Ultimate Guide to Vulnerability Disclosure. In this blog, we’ll recap the report’s top themes, and highlight some of the most interesting results of our annual VDP survey. If you prefer to read the report in full, you can download it for free below.
Why do organizations need a VDP?
The Ultimate Guide To Vulnerability Disclosure opens by describing how vulnerabilities are typically surfaced, and why VDPs are necessary to close the gaps created by these traditional methods. Much of it boils down to the size of the threat landscape, versus available resources. With rapid development cycles and ever-expanding code volume, it’s no longer realistic to believe that internal, targeted security testing can keep up. A well-structured VDP provides a security “safety net” over internet-facing assets for a more cost-effective way to continue risk reduction long after product launch.
This balance of cost and coverage has elevated VDP to baseline security best practice, with 28% of survey respondents reporting that these programs are now mandatory for their industry. For many forward-thinking security leaders, VDPs have even become a way to more easily communicate the value and impact of aligning with the broader security community. Christian Toon, CISO at Pinset Masons states, “Many organizations see disclosure of a vulnerability to be an admission of failure that harms their reputation, but this is a short-term outlook. Embracing vulnerability disclosure creates a security-first mentality, builds your reputation within the security community and educates your board in the process.”
Who Benefits from a VDP?
Security teams can reduce risk by proactively testing critical assets and applications for vulnerabilities as part of the standard software development lifecycle. But to balance resource, cost, and go-to-market timelines, this testing has a logical limit. VDPs enable organizations to extend security testing beyond these planned cycles. In the report, we learned an astounding 69% of organizations say their VDP surfaced at least one critical vulnerability missed by routine security testing.
Most organizations go to great lengths to assure customers that they care about security, but actual security practices can often be hard to demonstrate or even explain to non-security minded stakeholders. VDPs allow companies to reduce risk, while publicly showcasing their commitment to security in a way that is both easily understood, and easily verified.
Partners, Inventors, and Employees:
The VDP halo extends to an organization’s overall security brand, acting as a strong indicator of security posture for external stakeholders like prospective investors, partners, and other collaborators, including future employees. According to Ethan Dodge, Security Engineer at Atlassian,“A mature vulnerability disclosure program signifies a mature security culture, and may be a more accurate indicator than press coverage. I have always researched a company’s VDP when interviewing for jobs to assess the working environment.”
While VDPs are open to all individuals including customers and end-users, public programs are often frequented by trained security researchers, ethical hackers, and penetration testers looking to sharpen their skills. As VDPs are usually points-based rather than monetarily incentivized, participation for researchers often becomes more about education, competitive standing, and pure altruism. But to return the favor, organizations should consider going one step further than privately acknowledging contributions…
What is Disclosure?
The Ultimate Guide to Vulnerability Disclosure discusses private disclosure of vulnerabilities from hacker to organization, but it also enumerates the importance of these two parties working together to share these findings more broadly.
This week Ohio became the first state to issue a vulnerability disclosure policy for election-related websites. Critically, this policy includes what the report refers to as a “time-boxed” disclosure agreement, wherein the finder of a vulnerability can share details of the vulnerabilities 4 months after it has been accepted by the State. According to the policy, “We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.” According to the report, 77% of organizations agree, allowing either full or partial disclosure of vulnerabilities post-remediation.
Because security researchers are keen to build a resume and portfolio of work just like the rest of us, many are drawn to programs that enable them to share their accomplishments. This may be why programs that are open to coordinated or time-boxed disclosure see 30% more submissions, on average, than those that don’t, according to Bugcrowd program data.
How Can Organizations Get Started?
The report states that 60% of ethical hackers have not submitted a vulnerability due to fear of legal retribution. Without a clear policy that embraces good-faith testing, many vulnerabilities remain buried until a malicious hacker happens upon it first. To mitigate this risk, the report shares several best practices every organization should follow in launching their own vulnerability disclosure program. They include:
- Creating written policies about scope and expectations
- Aligning internal teams like engineering, legal, marketing
- Establishing a policy of understanding, respect, and appreciation (starting with Disclose.io. best practices)
- Ensuring resources are available to quickly accept and action critical findings
Perhaps most importantly, the report stresses the value of iteration, to ensure internal resources can meet the demands of external submissions. Christian Toon advises: “Those starting out with VDPs should be prepared to fail fast and fix fast. Play around with parameters and approaches and gather plenty of data to inform yourself. As long as you don’t annoy or offend the security community or your board it will all be valuable.”
The Value of a Managed Program
VDPs are straight-forward conceptually, but optimization and growth can take considerable patience and dedicated resources. Organizations choosing self-management should consider things like time in triage, ease of transitioning findings to the appropriate teams for remediation, and even soft-skills like timely researcher communication.
For these reasons, 54% of organizations with a VDP reported use of managed programs like Bugcrowd, which provide a platform for accepting, validating, formatting, prioritizing, and transferring vulnerabilities where they’re needed, without delay. Bugcrowd’s hosted VDPs also provide full program and researcher support, 24/7 reporting, and a variety of SDLC integrations to ensure constant communication and alignment across all stakeholders.
Interested in Learning More?
Bugcrowd’s Ultimate Guide to Vulnerability Disclosure explores the definitions, motivations, and strategies around vulnerability disclosure programs. Drawing on industry expertise and the results of a recent Bugcrowd survey, it seeks to uproot misconceptions and unite organizations in a common system of best practices for encouraging, accepting, and acknowledging vulnerabilities discovered “in the wild.” Get your copy today!