What’s a Vulnerability Disclosure Program & Do You Need One?

October 14, 2021 HackerOne Team

What Is a Vulnerability Disclosure Program?

A VDP is a structured method for anyone to report vulnerabilities. VDPs should include a process for receiving a vulnerability report, prioritizing and remediating vulnerabilities, and setting expectations for follow-ups, such as remediation.

Why All Organizations Need a Vulnerability Disclosure Program

VDPs provide a central place for third parties to report a vulnerability so security teams can quickly assess and remediate it.

VDP’s reduce the chances someone will publicly disclose a bug without the organization’s knowledge. When someone who finds a vulnerability publicly discloses flaws t, they alert both customers and cybercriminals to the vulnerability. This practice harms the brand’s image and exposes the company to unnecessary risk. Language within the VDP protects those who submit vulnerability reports from legal action, providing finders a process to come forward and disclose found vulnerabilities. When a vulnerability is brought directly to organizations for remediation, staff can prioritize the bug, develop a patch, and notify finders on their terms. As a result of having a vulnerability intake process, companies are able to combat public vulnerability disclosures.

Brining vulnerabilities directly to an organization in a coordinated disclosure fashion is considered a best practice in accordance with many global mandates. The U.S. Department of Defense (DoD) uses VDPs to secure their public-facing systems and tap into the expertise of hackers worldwide.

Hackers can uncover vulnerabilities such as cross-site scripting and forgery, SQL injection attacks, and privilege escalation through a VDP. Discovering these flaws before bad actors do allows organizations to patch vulnerabilities before exploitation by cybercriminals.

VDPs also provide increased visibility into the kind, number, and severity of vulnerabilities companies face. Understanding the attack surface and average remediation times allows organizations to improve their operational processes and approach cybersecurity proactively.

VDPs can help organizations pass audits and provide proof of compliance through attestation reports. The National Institute of Standards and Technology (NIST), in a 2020 update to their “Security and Privacy Controls for Information Systems,” outlined best practices for organizations looking to mitigate risk and positioned VDPs as a core component of every security strategy. 

Another standard published by ISO 29147 provides requirements and recommendations to vendors on disclosing vulnerabilities in products and services.

Every successful VDP consists of at least five core components. Each plays a crucial role and protects the relationship between the finder and the business. Below are descriptions of the components and explanations of their importance.

Promise Statement

The promise statement lets everyone know why an organization has a VDP. An organization's promise statement demonstrates to the public that they are proactive regarding vulnerabilities and take threats seriously. Through an opening statement, organizations show customers and investors the organization's level of dedication to ongoing cybersecurity—outside of educating researchers.

Scope

Scope defines the indicated systems and products for security research. The scope’s guidelines list domains and products suitable for testing while also restricting specific hacker testing areas.  

Many organizations ban tests that impact their productivity. Brute-force attacks and social engineering attempts are a few of the commonly restricted tests. See Figure 1 below for Instacart’s public HackerOne VDP program showing both in and out of scope assets.
 

8.5
8.5 scope
Figure 1: In and out of scope assets for Instacart VDP


Safe Harbor

Safe harbor fosters a secure and productive VDP by protecting those who disclose vulnerabilities from legal action. This section is essential to safeguard and encourage hackers to disclose bugs through an organization's official channel.


Hackers who find a bug often avoid disclosing it because the risk of legal action is too significant or not understood. Without a detailed safe harbor section, hackers may avoid disclosing for fear of retribution. HackerOne includes safe harbor language by default for all new VDP launches.

safe harbor

Process Description

The process description details the report submission and remediation process. Reports should include the vulnerability’s severity, how attackers can exploit it, and how developers can reproduce the bug. This information helps security teams prioritize threats and quickly validate new disclosures. A thorough process description can dramatically reduce remediation time and minimize your exposure to attack through prioritization.

Vulnerability disclosures may lack the details the remediation team needs to validate and patch the bug without a process description. Lacking a description can slow the patching process and leave systems exposed longer than necessary.

process

Preferences

The preferences section sets expectations for how your organization will evaluate reports. Process workflow should include expected response times, whether the organization will publicly disclose bugs, and if the hacker will receive a confirmation upon repair.

Communication is essential in building a solid relationship between hackers and organizations. Hackers want to know that organizations pay attention to their submissions and take them seriously. Otherwise, frustrated hackers may prematurely and publicly disclose vulnerabilities if they feel an organization isn't responsive or actively working on a known bug.

The communication process also helps internal teams prioritize and patch bugs while setting time-based goals for response and remediation. Regardless of how long a bug takes to fix, transparent communication between organizations and hackers builds trust and confidence within the VDP.

Organizations’ preferences help guide remediation and control how disclosure occurs. While many consider it best practice to disclose bugs, it is not mandatory to do so. Organizations working on sensitive projects may opt to push patches out and not disclose bugs publicly. 

How HackerOne Can Help

In the past, designing a VDP required a significant investment of both time and money. Organizations typically developed policies from scratch, built new communication channels, and marketed their platforms. 

HackerOne Response provides all the tools needed to launch a successful VDP from a single platform. Our out-of-the-box setup makes it easy to establish a compliant and policy-driven vulnerability disclosure workflow for continuous security. Contact us to start your VDP today.

Previous Article
DevSecOps: Bridging the Gap Between Security and Development
DevSecOps: Bridging the Gap Between Security and Development

At HackerOne’s recent 2021 Security@ conference, we spoke to Mike Hanley, CSO at GitHub. As a company that ...

Next Article
How Trustpilot Manages Risk by Working with Ethical Hackers
How Trustpilot Manages Risk by Working with Ethical Hackers

Trustpilot, a cloud-first company with little physical infrastructure, relies on external security testing ...