What is a vulnerability disclosure program?
A Vulnerability disclosure program (VDP) is a process by which an organization receives vulnerability reports from any external individual. These may be a hunter, a media outlet or a government agency, through a dedicated channel.
Each VPD is different and should be tailored to your company’s threat profile, regulatory requirements and assets. Although all vulnerability disclosure programs share 3 components:
- A website or other communication channel where the organization can receive information about the vulnerability.
- A policy that sets clear expectations and very clear instructions on how to report problems.
- A process flow that determines how a given vulnerability will be validated.
Main advantages of a VPD
The main advantages of a vulnerability disclosure program are as follows:
- Increases the effectiveness of vulnerability disclosure.
- It shows the organization’s commitment to protecting its digital assets and responding to risks.
- Commitment to maintaining a good relationship with the security research community.
What are the objectives of establishing a vulnerability disclosure program?
As software vulnerabilities are becoming more and more common, companies need to increase their catchment area to discover them. Despite this, many cybersecurity professionals report that they are unable to report the vulnerabilities they have discovered because their organizations do not have a VPD.
Vulnerability disclosure programs help organizations achieve the following objectives:
- Reduces risk.
- Improves the return on investment in security.
- Accelerate to digital transformation.
- Helps to make better security decisions.
- Improve security transparency and trust with customers.
How to start a VPD?
We already know how important it is for companies to have a vulnerability disclosure program, but… how to start and manage one effectively?
We tell you everything in 4 steps:
- Decide between self-managed or hosted.
Companies with few Internet-facing assets or limited resources to accept and remediate vulnerabilities may choose self-management, as it will be able to cope with a more manageable flow of vulnerabilities. On the other hand, it may happen that vulnerability submissions exceed the capacity of a team with few resources to be able to respond in a timely manner, so it is more advisable to use a managed model.
- Codify expectations.
For the VPD to be scalable and robust, organizations must provide access to hunters. This should contain indications of what conduct companies consider acceptable, what techniques are considered out of scope, etc.
- Be accessible
It is very important to have a clear communication with the hunters, within specific and secure channels.
- Define clear rules
A vulnerability disclosure program should define clear rules based on good faith. These define the relationship with hunters, so that both companies and hunters benefit from the interactions.
Organizations should receive as much information as possible from a vulnerability and hunters should expect quick responses to their submissions.