Benefit from the knowledge of security researchers by providing them transparent rules for submitting vulnerabilities to your team with a responsible disclosure policy.
WHAT IS RESPONSIBLE DISCLOSURE?
Responsible disclosure is a process that allows security researchers to safely report found vulnerabilities to your team.
It can be a messy process for researchers to know exactly how to share vulnerabilities in your applications and infrastructure in a safe and efficient manner. Generating a responsible disclosure policy can be confusing and time-consuming, so many organizations do not create one at all.
To help organizations adopt responsible disclosure, we’ve developed an open-source responsible disclosure policy your team can utilize for free.
FULL DISCLOSURE – WHY IT’S NOT IDEAL
Occasionally a security researcher may discover a flaw in your app. This leaves the researcher responsible for reporting the vulnerability. In most cases, an ethical hacker will privately report the breach to your team and allow your team a reasonable timeframe to fix the issue. In some cases, they may publicize the exploit to alert directly to the public.
Disclosing a vulnerability to the public is known as full disclosure, and there are different reasons why a security researcher may go about this path. A security researcher may disclose a vulnerability if:
- They are unable to get in contact with the company.
- Their vulnerability report was ignored (no reply or unhelpful response).
- Their vulnerability report was not fixed.
- They felt notifying the public would prompt a fix.
- They are afraid of legal prosecution.
While not a common occurrence, full disclosure can put pressure on your development team and PR department, especially if the hacker hasn’t first informed your company. These scenarios can lead to negative press and a scramble to fix the vulnerability.
IS FULL DISCLOSURE MORALLY SOUND?
If a finder has done everything possible to alert an organization of a vulnerability and been unsuccessful, Full Disclosure is the option of last resort. Some security experts believe full disclosure is a proactive security measure. Their argument is that the public scrutiny it generates is the most reliable way to help build security awareness. Others believe it is a careless technique that exposes the flaw to other potential hackers. Regardless of which way you stand, getting hacked is a situation that is worth protecting against.
RESPONSIBLE DISCLOSURE – GETTING STARTED
A responsible disclosure policy is the initial first step in helping protect your company from an attack or premature vulnerability release to the public. The best part is they aren’t hard to set up and provide your team peace of mind when a researcher discovers a vulnerability. Getting started with responsible disclosure simply requires a security page that states
- What parts or sections of a site are within testing scope.
- The types of bugs and vulns that are valid for submission.
- A dedicated security email address to report the issue (often firstname.lastname@example.org).
Best practices include stating response times a researcher should expect from the company’s security team, as well as the length of time for the bug to be fixed. If you’d like an example, you can view Bugcrowd’s Standard Disclosure Policy, which is utilized by its customers. If you want to get deeper on the subject, we also updated our Ultimate Guide to Vulnerability Disclosure for 2020.
Implementing a responsible disclosure policy will lead to a higher level of security awareness for your team. Bringing the conversation of “what if” to your team will raise security awareness and help minimize the occurrence of an attack.
At Bugcrowd, we’ve run over 495 disclosure and bug bounty programs to provide security peace of mind. Whether you have an existing disclosure program or are considering setting up your own, Bugcrowd provides a responsible disclosure platform that can help streamline submissions and manage your program for you.
Ready to get started with Bugcrowd? Just head to this page. Our team will be happy to go over the best methods for your company’s specific needs.
Get Started with Bugcrowd
Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.