“Finding and eradicating vulnerabilities is an important aspect of cybersecurity. All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities. The U.S. Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises.”
These were the words of Rod J. Rosenstein, Deputy Attorney General at the Global Cyber Security Summit in London last Friday.
Mr. Rosenstein’s comment underscores the value in working with external white-hat hackers and security researchers who are looking to assist security teams by disclosing security vulnerabilities they find in a compliant, legal process that you and your organization can define as part of a best-practice VDP.
HackerOne, a leading vulnerability disclosure and bug bounty platform, works with over 950 customers, including the U.S. Department of Defense, Adobe, Airbnb, and General Motors, that have realized the benefit of running HackerOne Response: an ISO-29147 compliant solution designed to receive, resolve, and respond to security vulnerabilities discovered by third-party researchers, academics or other members of the public.
Mr. Rosenstein and the Department of Justice are not alone in their recommendation for companies of all sizes - including government agencies - to create vulnerability disclosure policies to enhance existing security strategies.
Guidance on vulnerability disclosure has been published by numerous organizations, including the United States Department of Defense, Food and Drug Administration, National Highway Traffic Safety Administration, National Telecommunications and Information Administration, National Institute of Standards and Technology, and Federal Trade Commission
We’ve compiled a list of helpful resources in the section below.
Helpful Resources for Vulnerability Disclosure Policies:
Vulnerability Disclosure Policy Guide: A complete guide for crafting an effective VDP
An Invitation to Hack: The Benefits and Risks of Vulnerability Disclosure and Bug Bounty Programs: Webinar with Wiley Rein LLP’s Megan Brown and Matt Gardner
And coming soon: Your TL;DR Summary of The CERT Guide to Coordinated Vulnerability Disclosure
Start your hacker-powered security journey and talk to us today!