Have you ever had a vendor claim to reduce attacks against your business? Unless they’re running some sort of protection racket, “reducing attacks” isn’t really possible. What they might mean is that they’ll help you avoid negative consequences from the malicious exploit of a vulnerability. I agree that’s not as catchy, but the nuance has caused a conflation of terms, leading some non-security stakeholders to be equally fearful of the words vulnerability, attack, and breach.
Despite guidance from security leaders that vulnerabilities should be expected rather than feared, some executives still veto policies promoting public discourse on security posture for fear of “bad press.” This resistance is damaging not only to the company’s actual security, but their reputation. It’s time to embrace transparency and accountability, especially in security.
In this blog we’ll discuss why Vulnerability Disclosure Programs (VDPs) have quickly become one of the easiest, and most cost-effective ways to reduce risk while improving trust and loyalty amongst customers and the security community at large.
Defining Vulnerability Disclosure Programs
Often described as the internet’s “neighborhood watch,” VDPs provide a framework to facilitate the voluntary reporting of vulnerabilities discovered outside of typical testing cycles. That is to say they run parallel to, rather than in place of routine security testing like pen tests, bug bounties, SAST, DAST, and more.
As these programs run 24/7 and are open to all individuals with an internet connection, valid submissions are usually rewarded with “points,” rather than payments, to add a layer of cost-conscious coverage for an organization’s entire internet-facing attack surface.
While organizations can build their own VDP, or run a hybrid management model, fully-managed VDPs like those offered by Bugcrowd reduce both risk and resource drain by creating a secure submission framework, providing noise-reducing validation and prioritization services, and maintaining constant communication with both parties.
Why Your Organization Needs a VDP
1) So you don’t have to choose between security and speed
Early in my career I worked as a statistical modeler in the Office of Compliance Analytics at the Internal Revenue Service. We developed a number of models that were quite reliable in identifying fraud, but were ultimately not deployed as they required additional time and resources that would delay refunds for innocent taxpayers.
CISOs are faced with the same balancing act. There are 15-50 bugs per 1,000 lines of code, and millions of lines of code per application. It’s highly unlikely that even the largest and most well-funded security team can identify all vulnerabilities during routine testing, especially in agile development environments where new code is deployed continuously.
For this reason, organizations need a layered approach to security that extends beyond the typical software development lifecycle, to enable the acceptance of vulnerabilities discovered “in the wild.” VDPs provide cost-effective continuous coverage without disrupting product launch timelines.
2) Because preparing to fail prevents failure
Bugcrowd VDPs source thousands of critical (P1 or P2) vulnerabilities every year– hundreds in just the first 90 days for some customers. But while just one vulnerability can provide full return on investment, the framework itself, and the message it sends, is invaluable: “We have a plan for when our plan fails.”
In 2019, 14-year old Grant Thompson was playing video games with his friends when he discovered a bug that enabled FaceTime to turn his iPhone into a listening device. Thompson’s mother tried several ways to alert Apple to the vulnerability to ensure it wouldn’t fall into the wrong hands, but without a response, she eventually, exasperatingly, resigned herself to “tweeting” about it.
The media responded, but not as you might expect. Rather than sensationalize the bug, headlines around the world focused on how long Apple took to respond. In spite of, (or maybe because of) an extraordinarily well-funded security program, Apple failed to consider the possibility of a vulnerability making it past internal testing. As a result, they lacked a means of accepting and quickly prioritizing externally-sourced vulnerabilities, to the detriment of their security, as well as their reputation.
3) Because consumers now value trust over all else
Today’s consumers now value trust over reputation and reliability when choosing brand allegiance. Maybe unsurprisingly so, as the notion of an infallible product simply does not compute with a generation whose entire digital existence revolves around an intermittent stream of software updates.
Consumers expect problems and incremental solutions, but demand transparency in the process. While this shift puts security smack in the middle of brand identity, organizations needn’t wait till after a breach to demonstrate commitment to the cause.
Unlike internal security programs, Vulnerability Disclosure Programs are designed to be both publicly accessible, and publicly observable. Similar to the reassurance a customer might feel when progressing through identity verification questions, a VDP page on your website is an open and interactive way of demonstrating that you have an established framework for reducing risk.
4) Because employees, partners, and investors are watching
VDPs serve as public evidence of an organization’s culture of remediation, recognition, respect, and commitment to rapid response.
For potential security hires, the presence of a VDP additionally signifies the influence wielded by security leadership amongst executive peers. As such, it’s often considered a litmus test for prospective applicants weighing options that would provide the most enriching career opportunities.
Similarly, future investors and long-term partners undertake an enormous amount of reconnaissance on company maturity, security, culture, and growth trajectory before even broaching a conversation with the organization. VDPs can help a security program speak for itself.
In the case of M&A, the consequences of poor security practices can be more severe. As security reviews are often the ‘final mile’ in negotiation, many offers are rescinded or slashed just weeks shy of final signing if the severity of vulnerabilities revealed is too high to justify cost. VDPs act as a more cost-efficient “safety net” to reduce the chances that you’ll be surprised later.
5) Because sharing vulnerabilities with industry peers is good for business
Sharing threat intel and security best practices helps all ships rise. But failure to do so can have the opposite effect. While most people can recall a fatal incident involving an autonomous vehicle in recent years, they often fail to recall which company was responsible. As a result, they may harbor negative feelings about the entire industry. The fallacy of composition isn’t fair, but it is reality when consumers often lack knowledge of whether a vulnerability is more or less likely to affect similar vendors.
Vulnerability Disclosure programs that enable “coordinated or discretionary disclosure” provide a means for remediated vulnerabilities to be shared outside the organization, on a case-by-case basis. Once known, industry peers can proactively seek out the issue before it can be maliciously exploited. The more trusted the industry, the greater market share available to all.
6) Because maybe you need to date before you commit
Any discussion on the impact of VDPs would be lacking without due attention to the vulnerability finders themselves, who fall into two categories: The ‘Grant Thompsons’ of the world, who stumble upon vulnerabilities in the course of normal use, and security researchers (or ethical hackers, or simply– hackers), who actively hunt for vulnerabilities.
Whether hacking full-time, or moonlighting after a long day as a security engineer, or CISO, researchers of all skills and experience will actively seek out VDPs to improve their skills, build relationships, or just feel good about making the world a safer place.
This active engagement can bolster findings, but it’s also a good opportunity for organizations to identify and recruit talented researchers that they believe might thrive in an incentivized bug bounty or pen test program. In other words, VDPs give organizations a chance to get to know researchers before committing to a long-term relationship.
7) Because nearly every organization with any internet presence needs one
Having a VDP is quickly becoming industry standard. In fact, adoption is no longer optional for some. The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive requiring all federal agencies to publish a VDP.
For organizations leery of the crowdsourced security model, or for those that don’t consider themselves “ready” for other crowdsourced programs like Bug Bounties, it’s important to remember the following distinctions:
- VDPs are open to everyone on the internet. If using a managed VDP provider like Bugcrowd, participants need not be registered on the provider’s platform to submit a vulnerability.
- VDPs do not provide credentialed access to sensitive applications. They only apply to assets that are already publicly accessible by anyone on the internet.
- VDPs can be constructed and defined according to a mutual understanding of appropriate access and communication.
- While ad-hoc rewards can be offered for significant findings, payments are not part of the default VDP model.
- Public, coordinated disclosure of vulnerabilities after they have been resolved has been correlated with 30% increase in submission volume, but is always at the discretion of the organization.
- Amount of vulnerabilities received does not indicate “success” or “failure” of the program. The simple existence of a clear communication channel is all that’s necessary to unlock a myriad of other business benefits.
Vulnerabilities are being written into new and existing software every day. But avoiding financial and reputational ruin starts simply with a bit of humility. The 24/7 nature of public Vulnerability Disclosure Programs tells employees and customers that you recognize security is a journey, and never quite “complete.”