Vulnerability Disclosure Program (VDP)

A Vulnerability Disclosure Program (VDP) is a structured framework for security researchers to document and submit security vulnerabilities to organizations. Vulnerability Disclosure Programs help organizations mitigate risk by supporting and enabling the disclosure and remediation of vulnerabilities before hackers exploit them. Vulnerability Disclosure Programs usually contain a program scope, safe harbor clause, and remediation method. VDPs generally cover all publicly accessible, internet-facing assets. Publicly posted VDPs suggest that the organization is unlikely to be an easy target.

Hackers exploit code vulnerabilities to negatively impact data security, systems, people, or IP. ISO/ IEC 29147:2018 describes vulnerability disclosure as “the requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure programs enable users to perform technical vulnerability management and help users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. ISO/ IEC 29147:2018 also notes that coordinated vulnerability disclosure is especially important when multiple vendors are affected.” 

Vulnerabilities in processes, code, configurations, and critical systems resources can offer malicious actors an opportunity to compromise your digital assets. Research has shown us that the average software application may have dozens of bugs for every thousand lines of code. The defects not discovered during the Development Operations (DevOps) process may be found later by malicious actors. Configuration errors are significant additional sources of vulnerabilities, especially for cloud-based applications, and often emerge due to mistakes made in production deployment. 

For a VDP to be successful, it generally requires the engagement and interest of ethical hackers. Ethical hackers “hack” into a computer network to test and evaluate security but do so without any malicious or criminal intent and generally have the cooperation of the targeted organization.

Ethical hackers must take the perspective of malicious threat actors. Ethical hackers step into the shoes of threat actors and view an organization’s defenses from the perspective and mindset of a potential attacker. Ethical hackers must take active measures to probe cyberdefenses for vulnerabilities that would allow them to position a successful cyber attack. The success of ethical hackers in identifying vulnerabilities reduces or eliminates the potential opportunity for the next real malicious threat actor.

Interaction with ethical hackers must be subject to essential ground rules agreed upon between the ethical hacker and the organization. Vulnerability disclosure policies document the most critical engagement ground rules.

Vulnerability disclosure policies

Vulnerability disclosure policies provide language that serves as the basis for a vulnerability disclosure program. For example, vulnerability disclosure policies generally include sections that address:

The introductory section provides background information on the organization and its commitment to security and more. In addition, this section explains why the policy was created and the goals. 

The safe harbor section explicitly declares the organization’s commitment not to take legal action for security research activities that follow “a good faith” effort to follow the policy. The language recommended by CISA for a government agency’s vulnerability disclosure policy authorization and safe harbor is: 

“If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and AGENCY NAME will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.”

Other guidelines further set the boundaries of the rules of engagement for ethical hackers. Guidelines may include an explicit request to provide notification as soon as possible after discovering a potential security vulnerability. Exploits should only be used to confirm a vulnerability. Many vulnerability disclosure policies request that discovered exploits not be used to compromise data further, establish persistence in other areas, or move to other systems.

Scope provides a clear view of the properties and internet-connected systems covered by the policy, the products it may apply, and the appropriate vulnerability types. The scope should also include any testing methodologies which are not authorized. For example, it is most typical that VDPs don’t allow Denial of Service (DoS or DDoS) attacks or attacks of a more physical nature, such as attempting to access the facility. In addition, it is often the case that social engineering, perhaps through phishing, is also not authorized. Again, however, situations vary, and it is essential to spell out precisely what is permissible and what is not.

Process includes the mechanisms used by ethical hackers to report vulnerabilities correctly. This section contains instructions on sending reports. It also consists of the information that the organization requires to find and analyze the exposure. This information may include the location of the vulnerability, the potential impact, and other technical knowledge required to identify and reproduce the vulnerability. It also should include information about the timeframe for the acknowledgment of receipt for the report.

A best practice is to allow ethical hackers the option of submitting vulnerability reports anonymously. In this case, the vulnerability disclosure policy would not require the submission of identifying information. 

Types of disclosure 

In non-disclosure programs, the finder is not permitted to communicate any portion of a vulnerability beyond the confines of the organization itself. This requirement remains in place even after it has been resolved. In non-disclosure programs, no exposure, regardless of type or severity, can be shared. While these programs still receive submissions, they generally do not encourage them. 

Organizations may also opt for coordinated (or discretionary) disclosure, which signals a willingness to consider public disclosure of remediated vulnerabilities. This disclosure may be in whole or redacted form and may be determined on a case-by-case basis. Yet, a specific disclosure will be removed from a coordinated disclosure program if it can still impact human health and well-being in many cases. For example, this may be the case with automobiles, pacemakers, medical devices, and another internet of things (IoT) devices that are difficult to update remotely or recall.

Some organizations will often set a time limit on disclosure for each vulnerability, promoting their commitment to driving fast remediation. Organizations that deem security a strategic priority often adopt this time-boxed disclosure approach. 

Coordinated, discretionary, and time-boxed disclosure terms are considered best practices as they encourage rapid remediation while demonstrating a commitment to and appreciation of the hacker community. Data shows us that 77% of organizations with a VDP in place enable one of these desirable methods of public disclosure. 

General benefits of a vulnerability disclosure program

VDPs reduce risk by enabling you to accept, triage securely, and rapidly remediate valid vulnerabilities submitted from the security community. Statistics have shown that 87% of organizations have received a critical or high-priority vulnerability through a VDP.

VDP programs also provide a good return on investment. VDP programs allow organizations to more rapidly visualize and prioritize the threat landscape to stay ahead of dangerous activity. VDP helps organizations protect the value of their brand. 

The digital transformation can provide substantial benefits but can be delayed by cyber security issues. Organizations can accelerate digital transformation and better align security testing with your release cycle to ship secure code faster. 

VDP programs provide better context to assess risks with actionable intelligence for risk management. In addition, the transparency VDP programs improve customer confidence and gain goodwill in the security community.

Well constructed VDPprograms define the environment you require for an ethical hacker to identify and submit information on discovered security vulnerabilities. Disclosure policies guide and establish the communications framework to report discovered security weaknesses and vulnerabilities. Bugcrowd’s VDP enables all parties to exchange data formally and consistently and confirm receipt of the communications.

The importance of a managed approach to a VDP

A managed approach allows organizations to rely on the VDP platform to monitor the intake channels, triage the findings, and provide feedback to the submitting party. 

When getting started, organizations can deploy a VDP in stages. The simplest way to start is just to receive vulnerabilities via email. This approach allows an organization to get used to participating in a VDP, which can often deliver a large number of vulnerabilities soon after launch. The next step is to embed a VDP submission form directly into the organization’s website. Including a VDP submission form on your website publicly displays your intentions to protect your organization proactively and demonstrates engagement and transparency with the security community. Finally, organizations can also post their VDP directly on a vendor platform.

Related Resources:

• [Guide] What is Responsible Disclosure?
• [Guide] 6 Key Questions to Ask Before Implementing a VDP
• [Product] Bugcrowd Vulnerability Disclosure Program

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.