Vulnerability Disclosure
When a hacker submits a vulnerability through a vulnerability disclosure program (VDP), there is often an expectation of some level of public disclosure. There are 4 types of vulnerability disclosure.
Discretionary disclosure
When organizations opt to enable coordinated disclosure, they signal their openness to considering the public disclosure of remediated vulnerabilities, in full or in redacted form, on a case-by-case basis. Ultimately, while disclosure may be requested by the finder of the vulnerability, this decision remains the sole discretion of the organization. Removing a vulnerability from consideration for coordinated disclosure is sometimes necessary when disclosing it would result in significant risk to customers. This is the case with pacemakers, vehicles, and other IoT devices that are difficult to recall quickly or update remotely.
Coordinated disclosure
For more mature organizations, setting a “timer” for resolving and publishing every vulnerability can further encourage more active discovery, although this protocol often requires a dedicated team responsible for rapid remediation and communication. This approach is often taken by organizations that deem security to be a strategic priority and need to invest in building the best possible relationship with the security community.
Coordinated disclosure is based on good faith and is considered a best practice for all parties involved, as it encourages rapid remediation while demonstrating commitment to and appreciation of the hacker community. 66% of organizations allow coordinated disclosure for virtually all vulnerabilities.
Full disclosure
Unlike the other approaches, full disclosure is not a program policy. Rather, it is an individual instance of public communication wherein a finder discloses a vulnerability before it has been fixed. Bruce Schneier defended the merits of full disclosure in 2007, suggesting that the threat of this act is sometimes necessary to force owners to fix vulnerabilities when they are unresponsive to hackers’ well-intended communications.
However, both hackers and organizations often prefer to avoid this type of disclosure at all costs.
In fact, both nondisclosure and full disclosure are discouraged because of the asymmetric cost to only one party; either the finder is not given recognition for their effort to improve security, or the owner is not given an opportunity to fix a vulnerability before it becomes public in a way that makes it more likely to be maliciously exploited. Disclosure should be undertaken in a way that protects the owner, rewards the finder, incentivizes further research, and enhances relationships between owners and the security community.
Nondisclosure
When programs are marked as “nondisclosure,” it is understood that the finder is not permitted to communicate any portion of a vulnerability beyond the confines of the organization itself, even after it has been resolved. For nondisclosure programs, no vulnerability, regardless of type or severity, can be shared. While these programs still receive submissions, they do not encourage them.
Learn more about vulnerability disclosure
- Vulnerability Disclosure 101 Guide
- Vulnerability 101 Infographic
- Vulnerability Disclosure Program Data Sheet
- Vulnerability Disclosure Programs: From Luxury to Necessity Infographic
- Vulnerability Disclosure Policy: What is it and Why is it Important?
- Vulnerability Disclosure Program or Managed Bug Bounty: How to Determine which Program is Best for you
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.