Today we are excited to announce the latest disclosure channel available through Bugcrowd’s Vulnerability Disclosure Program (VDP) – Email Intake. It’s simple – any third party who wants to report a vulnerability can simply send an email to your organization via a security@ email address, and Crowdcontrol takes care of the rest.
This feature expands upon our VDP solution, now encompassing three different disclosure channels — Email Intake, Embedded Submissions Form, and the Crowdcontrol Platform — allowing companies to increase public awareness, gain maximum coverage, and meet legal compliance standards. This flexibility also supports a “crawl, walk, run” approach, which helps organizations successfully adopt a public-facing security feedback channel.
What is the “crawl, walk, run” approach?
A low-exposure program, like one using Email Intake, is a great place to start as it allows an enterprise to gradually align stakeholders expectations, establish roles and responsibilities, and implement standard procedures without becoming overwhelmed with a flood of findings. Over time, it is important for an organization to expand program exposure by introducing an Embedded Submission Form on their website’s security page. Eventually, customers can post their VDP on bugcrowd.com/pages to direct Bugcrowd’s diverse community of white hat hackers to engage in their program. We believe companies should always strive to increase the public exposure of their VDP to gain maximum coverage, reduce risk and achieve legal compliance standards.
What are the benefits of VDP?
Too often we see ethical hackers reach out to companies upon discovering a vulnerability; only to find that organizations are overwhelmed by a flood of unorganized submissions. Offering additional disclosure channels provides a range of benefits:
- Build stakeholder confidence and trust by protecting digital assets and responding to known risks.
- Centralize incoming reports on a cloud-based, managed solution that seamlessly integrates into your existing SDLC delivering frictionless setup with low-maintenance.
- Create a channel for security feedback and a framework to manage vulnerabilities discovered by researchers.
- Align cybersecurity programs with best practices, as defined by the US Government, NIST, DOJ, FDA, and others.
The success of any vulnerability management program relies on the ability of organizations to provide an easily identifiable channel to submit vulnerabilities and then triage the issue in a timely fashion. Afterall, consumers want to know companies are doing their due diligence to protect their data.
We believe it is our responsibility to continuously build innovative solutions to support the changing needs of our customers, and we want to ensure we release solutions that enable customers to effectively and efficiently solve their problems. Keep an eye out for more features as we continue to expand the functionality of our VDP solution.