Operationally Necessary Cookies
Benefit from the knowledge of security researchers by providing them transparent rules for submitting vulnerabilities to your team with a responsible disclosure policy.
Responsible disclosure is a process that allows security researchers to safely report found vulnerabilities to your team.
It can be a messy process for researchers to know exactly how to share vulnerabilities in your applications and infrastructure in a safe and efficient manner. Generating a responsible disclosure policy can be confusing and time-consuming, so many organizations do not create one at all.
To help organizations adopt responsible disclosure, we’ve developed an open-source responsible disclosure policy your team can utilize for free.
Occasionally a security researcher may discover a flaw in your app. This leaves the researcher responsible for reporting the vulnerability. In most cases, an ethical hacker will privately report the breach to your team and allow your team a reasonable timeframe to fix the issue. In some cases, they may publicize the exploit to alert directly to the public.
Disclosing a vulnerability to the public is known as full disclosure, and there are different reasons why a security researcher may go about this path. A security researcher may disclose a vulnerability if:
While not a common occurrence, full disclosure can put pressure on your development team and PR department, especially if the hacker hasn’t first informed your company. These scenarios can lead to negative press and a scramble to fix the vulnerability.
If a finder has done everything possible to alert an organization of a vulnerability and been unsuccessful, Full Disclosure is the option of last resort. Some security experts believe full disclosure is a proactive security measure. Their argument is that the public scrutiny it generates is the most reliable way to help build security awareness. Others believe it is a careless technique that exposes the flaw to other potential hackers. Regardless of which way you stand, getting hacked is a situation that is worth protecting against.
A responsible disclosure policy is the initial first step in helping protect your company from an attack or premature vulnerability release to the public. The best part is they aren’t hard to set up and provide your team peace of mind when a researcher discovers a vulnerability. Getting started with responsible disclosure simply requires a security page that states
Best practices include stating response times a researcher should expect from the company’s security team, as well as the length of time for the bug to be fixed. If you’d like an example, you can view Bugcrowd’s Standard Disclosure Policy, which is utilized by its customers. If you want to get deeper on the subject, we also updated our Ultimate Guide to Vulnerability Disclosure for 2020.
Implementing a responsible disclosure policy will lead to a higher level of security awareness for your team. Bringing the conversation of “what if” to your team will raise security awareness and help minimize the occurrence of an attack.
At Bugcrowd, we’ve run over 495 disclosure and bug bounty programs to provide security peace of mind. Whether you have an existing disclosure program or are considering setting up your own, Bugcrowd provides a responsible disclosure platform that can help streamline submissions and manage your program for you.
Ready to get started with Bugcrowd? Just head to this page. Our team will be happy to go over the best methods for your company’s specific needs.
Stay current with the latest security trends from Bugcrowd