Security isn’t a technology problem—it’s a people problem. To compete against an army of adversaries and stay ahead of cyber attacks, we need an army of human allies (aka the Crowd). Vulnerability Disclosure Programs (VDPs) and Managed Bug Bounty (MBB) programs have emerged as two popular options for augmenting security workflows with crowdsourced expertise and resources.

For customers that are new to crowdsourced cybersecurity, the differences between these two options may not be obvious. This blog will help you better understand which program to use when.    

The Rise of VDPs and MBBs

VDPs have been around for some time, but have really started gaining momentum the past few years as companies increasingly digitize their infrastructure. Last month, Google and Salesforce announced the Minimum Viable Security Product (MSVP), a vendor-neutral security checklist designed to help organizations ensure the minimally viable security posture of a product. The first of its recommendations is the creation of a Vulnerability Disclosure Program. In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) also released a binding directive that makes VDPs a requirement and requires federal civilian agencies to remediate vulnerabilities (catalog of known vulnerabilities) within specific timeframes

Things are also heating up on the managed bug bounty side. Google has kicked off a three-month Bug Bounty Program—with triple researcher rewards—focused on identifying  flaws in the Linux kernel.


The Difference between VDPs and MBBs

VDPs and MBBs are now critical tools to have in your security toolbox, but which tool should you use for which job? Let’s compare:

  • VDP: A VDP is a secure, publicly available channel for anyone to submit security vulnerabilities to organizations, helping them mitigate risk by enabling the disclosure and remediation of vulnerabilities before they are exploited by bad actors. In contrast to bug bounties, submissions are not incentivized by cash rewards. Publishing a vulnerability report after it has been fixed is another common attribute of VDPs, and gives researchers the opportunity to share knowledge and enhance their own reputation in the process.
  • Public MBB: A public MBB allows anyone to participate in the bug bounty program. It’s similar to a VDP but with the addition of cash and other rewards to incentivize proactive testing. Another trait of MBBs is that testing efforts are directed by the organization themselves to specific areas where security is deemed most critical.
  • Private MBB: Private MBBs are often narrower in scope than their public counterparts (e.g., more tightly focused on specific targets). Researchers are incentivized by cash bounties (aka “pay-for-results”). Private MBBs limit participation to handpicked researchers, which allows for targeted skills matching, along with background checks, geographic selection, and so on.

Understanding Use Cases for VDPs vs MBBs

The easy answer to the question of which to use is, “it depends.” But I’m going to put a stake in the ground—a vulnerability disclosure program should be a baseline security standard for everyone, as common as a firewall. All code contains vulnerabilities, even when much has been done to prevent them. According to Coralogic, the data logging analytics company, on average, a developer creates 70 bugs per 1000 lines of code.  A VDP establishes  a “see something, say something” mindset within your organization that carves out a global channel for vulnerability reports and publically demonstrates that your company is doing everything possible to protect its customers, partners, and suppliers.

Even if your company begins its crowdsourced cybersecurity journey with something other than a VDP—like a MBB or pen test—a VDP remains a foundational element.

Alternatively, organizations can start with a private MBB program too. This was the path that Motorola took when it launched a private MBB with Bugcrowd. After the success of its private bug bounty program, Motorola wanted to open a channel to showcase security maturity and interact with the wider researcher community. This drove it to launch a “neighborhood watch” in the form of a VDP.  Motorola did what made sense for its business by going with a managed bug bounty program before rolling out a vulnerability disclosure program. The end result was the same—happier customers and safer products!  

Private MBB is also often used as a similar crawl-walk-and-run rampway toward a public bug bounty program. Public MBB works well for organizations who can fix discovered security flaws in a short period of time, through team resourcing and software development lifecycle (SDLC) integration.

How VDPs and MBBs Address Security Challenges

All these options help organizations deal with the chronic difficulties they have in attracting and retaining the right security skills (aka overcoming the skills gap). Those obstacles are exacerbated by the constant need to move faster, to deploy more infrastructure and applications—demands which in turn create more and more attack surface to defend. And of course, the relentless creativity and ambition of attackers is an ever-present challenge. All of these impediments are greatly lessened with crowdsourced cybersecurity as delivered by VDP and MBB programs.

Of all the options, public MBB has garnered the lion’s share of attention. It’s often the thing people immediately think of when they hear the term “bug bounty”. If your organization is mature enough to want to attract the broadest possible range of talent, and make an even stronger statement about its commitment to security to the public, a public MBB shines.

 

What It Solves What It Doesn’t Solve
Vulnerability Disclosure Program
  • Encourages anyone to report anything they find in Internet-facing assets
  • Offers a predictable cost (no paid bounty element)
  • Builds organization’s reputation for taking security seriously
  • Fulfills compliance requirements
  • Not for continuous, active testing
  • Not for finding most serious vulnerabilities
  • No methodology-based testing
  • Cannot focus testing on a particular area
  • Cannot restrict researcher access 
Managed Bug Bounty
  • Provides incentivized testing for specific or all assets
  • Ensures that researchers are chosen by skill, experience, location, preference, and performance (e.g., CrowdMatch from Bugcrowd—aka Private Bug Bounty)
  • Offers on-demand or continuous coverage for rapid-release cycles
  • Encourages discovery of critical vulnerabilities
  • Doesn’t meet some compliance requirements
  • Cannot easily demonstrate full asset coverage
  • Cannot receive vulnerabilities from anyone, just from selected researchers (i.e.,  private MBB) 
  • Typically limited to defined scope (i.e.,  private MBB)

Now that you have an understanding of VDP and MBB, where do you go from here?

Bugcrowd Can Help 

Combining VDPs with MBBs is a very common approach among Bugcrowd customers. For both types of programs, we provide everything you need to ensure efficiency, return on investment (ROI), and maximum impact.

Bugcrowd’s crowd-powered SaaS platform is built for multiple security use cases. Bugcrowd facilitates hundreds of managed VDPs, escalating high-priority issues within hours and averaging triage completion within one business day. Moving from a program (VDP) to another program (e.g., a managed public bug bounty) can be done via the platform as well. 

Start your VDP journey on the Bugcrowd Platform with an easy self-service option. Per month pricing and the ability to use a credit card are available here. Get started today and let the Bugcrowd Platform start finding vulnerabilities.    

Tags: