Bug bounty programs may capture the majority of headlines in hacker-powered security today, but organizations of all shapes and sizes must first open a channel for ethical hackers to alert them to potential vulnerabilities they find. It’s called a vulnerability disclosure policy (VDP), or a responsible disclosure policy. It’s promoted extensively from the U.S. Department of Justice to the European Commission to the U.S. Food & Drug Administration.
Why are these organizations so adamant about responsible disclosure policies? Because they work and they protect assets. For example, the Department of Defense alone has received over 5,000 valid vulnerabilities through their VDP. That’s thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported via their VDP.
This article will explain a vulnerability disclosure policy is, what’s included in a good policy, which organizations have a VDP today, and which government agencies have published guidance on VDPs.
What is a Vulnerability Disclosure Policy?
"We need to move to a world where…all companies providing internet services and devices adhere to a vulnerability disclosure policy." - Julian King, Security Union Commissioner, European Commission
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give anyone — ethical hackers (aka “researchers” or “finders”), anyone who stumbles across something amiss — clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible.
Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler for them, or maybe even call them.
But for organizations or technology or websites, it’s not that simple. You might not know how to contact them, where to even find a phone number or email address, or what to tell them. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact mechanism, most of us would probably give up.
VDPs are intended to remedy that situation by giving finders clear directions on how to report a potential vulnerability, and giving your internal security team an easy means with which to receive such reports. It also helps eliminate the potential business chaos should someone not know how to report a vulnerability and it winds up on social media.
CRITICAL ELEMENTS OF A VULNERABILITY DISCLOSURE POLICY
What’s great about VDPs is they can be as simple as a few statements and are generally just a few pages long. What’s important is to include these five elements:
1. Promise: You state a clear, good faith commitment to customers and other stakeholders potentially impacted by security vulnerabilities.
2. Scope: You indicate what properties, products, and vulnerability types are covered.
3. "Safe Harbor": Assures that the finder reporting in good faith will not be unduly penalized.
4. Process: The process finders use to report vulnerabilities.
5. Preferences: A living document that sets expectations for preferences and priorities regarding how reports will be evaluated.
Many VDP templates and guides exist. The Coordinated Vulnerability Disclosure Template published by a working group of the U.S. National Telecommunications and Information Administration is one that’s highly recommended.
While each of these five elements is important, getting that information to your team is crucial. As mentioned, that can be as simple as an email address or webform, or a more detailed process.
HackerOne Response provides all three ways for hackers to submit vulnerabilities to you and your team, allowing you to choose any combination to fit your needs. Here’s how they differ:
- Email forwarding delivers emails to your HackerOne inbox, letting you manage reports directly through HackerOne. If you already have an existing security email, email forwarding is a simple, effective, and fast way to start with HackerOne Response. However, with email forwarding alone, your program will not be on the HackerOne directory and will get minimal attention from HackerOne hackers.
- Embedded submission forms let you prescribe the precise information you want in each report, which streamlines submissions and management. Receiving vulnerability reports via embedded forms also allows for anonymous submissions.
- A standard VDP policy page listed on the HackerOne directory ensures your VDP receives maximum exposure to our hacker community. Neither email forwarding nor embedded forms provide this level of visibility into your VDP with the HackerOne community. The directory’s numerous filters and search options make it easy for hackers to find your VDP, which often increases the number of reports you receive.
Regardless of which options you choose, our Controlled Launch service ensures a seamless VDP launch, with minimum risk of overwhelming your IT, Engineering, and Security teams.
VDP Best Practices Focus on Safe Harbor
"Companies that lack a clear vulnerability disclosure program are at increased risk should a security researcher find a vulnerability, which they may disclose in a chaotic manner." - Megan Brown, Partner, Wiley Rein LLP
Research shows that hackers sometimes avoid disclosing vulnerabilities due to non-existent or unclear disclosure policies. The risk of legal action is too great, they say, so the vulnerability remains open. To reassure hackers that, when acting in good faith, there will be no legal action, VDPs should include a safe harbor statement.
In March 2018, Dropbox made its VDP “a freely copyable template” for others to emulate. This is notable as Dropbox added a legal safe harbor pledge to its VDP, promising “to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.” HackerOne also introduced legal safe harbor language as a default for new policy pages, further solidifying it as industry standard.
What Organizations Have a VDP Today?
No organization is too small or too large to benefit from a VDP. And, many organizations are not only recommending VDPs, but are also leading the charge with their own candid insights into their own VDPs and the related benefits. However, many more companies are still leaving themselves open to unnecessary risk.
Each year, HackerOne analyzes the entire Forbes Global 2000 list of the world’s most valuable public companies as one benchmark for public VDP adoption. Based on the 2017 Forbes Global list, 93% of companies do not have a known VDP, compared to 94% of the 2016 list. While these numbers show marginal progress, there is obvious room for improvement. With so many organizations urging companies to adopt VDPs, along with Gartner’s recent predictions that 50% of enterprises will have crowdsourced security solutions by 2022 , we remain optimistic that more companies will publish VDPs soon.
But until VDP adoption increases, vulnerabilities will continue to remain unreported, and breaches will continue at an accelerated rate. Nearly 1 in 4 hackers have not reported a discovered vulnerability because the company didn’t have a channel to disclose it, according to our 2018 Hacker Report.
Influence of Governing Bodies on VDPs
VDPs are seen as an invaluable tool in fighting cybercrime. Recently, government and industry organizations have begun to publish VDP how-tos, templates, standards, and related guidance on how to implement, manage, and audit these important programs.
Standardization is being applied to VDPs by various bodies, with definitions published by the U.S. Department of Justice (DoJ) and in ISO 29147. Many other organizations have published guidance or issued statements including the U.S. Food & Drug Administration which said that “manufacturers should also adopt a coordinated vulnerability disclosure policy.” Still others are positioning VDPs as an effective tool to help comply with laws and regulations, specifically GDPR.
The Center for European Policy Studies, for example, recently stated that VDPs “may reduce the risk of incurring fines arising from possible personal data breaches." This suggests that, in the case of a GDPR-related breach, the absence of a VDP could be seen as worthy of penalization.
Governments and Industry Groups Continue to Promote VDPs
Legal Experts and Market Leaders Tout VDP Value
Read what others had to say in Voices of Vulnerability Disclosure.
Building Your VDP on a Proven Platform
In part 2 of this series, we’ll look at how HackerOne Response offers a solution to the complete program behind a VDP, from tracking and automation to auditing and integration with your existing vulnerability tracking and engineering tools. Feel free to download this blog as a pdf resources as well!