In software development, errors are inevitable—with one report estimating up to 50 errors per 1,000 lines of code. That means that security vulnerabilities are, quite simply, a fact of life. Taking into consideration that code will be recycled and reused across potentially millions of deployment points, the potential size of the attack surface is staggering.
In this environment, all organizations have to adopt strategies to maintain the trust of stakeholders—organizations must prove that they do everything possible to secure their systems and data.
Vulnerability disclosure programs (VDPs) are now an industry standard (and often a required one for compliance reasons) for proving an organization’s public commitment to a strong security posture. A complement to bug bounties and penetration testing, VDPs allow anyone on the internet to altruistically report any security vulnerability they’ve found.
A vulnerability is a security flaw or weakness found in software or in an operating system that can lead to security concerns.
Vulnerabilities in processes, code, configurations, and critical systems resources can offer malicious actors an opportunity to compromise your digital assets. Research has shown us that the average software application may have dozens of bugs for every thousand lines of code. The defects not discovered during the Development Operations (DevOps) process may be found later by malicious actors. Configuration errors are significant additional sources of vulnerabilities, especially for cloud-based applications, and often emerge due to mistakes made in production deployment.
Vulnerabilities are inevitable and not a sign of weakness. It’s all about how an organization responds to these vulnerabilities. A VDP is a structured framework for hackers to document and submit security vulnerabilities to organizations. VDPs help organizations mitigate risk by supporting and enabling the disclosure and remediation of vulnerabilities before hackers exploit them. VDPs usually contain a program scope, safe harbor clause, and remediation method. VDPs generally cover all publicly accessible, internet-facing assets. Publicly posted VDPs suggest that the organization is unlikely to be an easy target.
VDPs may be best described as the internet’s “neighborhood watch.” Neighborhood watches, of course, rely on volunteers to monitor their communities for suspicious activity and to report incidents to the police when warranted. In other words, “if you see something, say something” applies equally to a VDP.
Like neighborhood watches, VDPs encourage anyone on the internet to be vigilant for the benefit of all. Specifically, they offer a framework for publicly disclosing vulnerabilities discovered outside typical testing cycles. As VDPs usually cover all publicly accessible internet-facing assets, anyone with an internet connection can participate in the surfacing of vulnerabilities. 87% of organizations report receiving at least one P1 vulnerability through their VDPs.
The adoption of a VDP is an acknowledgment that the organization understands the inevitability of vulnerabilities and is committed to security transparency. It’s worth noting that VDPs are different from bug bounty programs and penetration testing, which provide monetary incentives for discovering critical, in-scope vulnerabilities. Only 15% of hackers expect a bounty in return for submitting a vulnerability report via a VDP. We’ll cover more of this later in the guide.
The methods used to manage VDPs differ by organization and are often dependent on their goals, resources, and bandwidth. While some choose self-management to get started, most rely on third parties like Bugcrowd to monitor intake channels, triage findings, and provide feedback to the submitting party at a speed and scale that most self-managing companies would find difficult.
By enabling the reporting of vulnerabilities found through the routine use or testing of externally-facing products and services, VDPs help organizations reduce risk with minimal disruption to existing security and production life cycles.
While many organizations derive great value from highly active VDPs in this fashion, the purpose of a VDP is first and foremost to provide a secure channel for altruistic, externally sourced security feedback. Therefore, they complement, but don’t replace, bug bounties and pen tests, which are tightly focused on uncovering critical vulnerabilities.
Instead, by offering recognition to well-intentioned hackers who abide by a defined process, VDPs simultaneously build and enhance an organization’s reputation for security, aka its “security brand.”
Countless vulnerabilities are being written into new and existing software every day, and organizations need to maximize their ability to discover them. However, per Bugcrowd’s research, 58% of ethical hackers (aka security researchers) won’t report a vulnerability if the owner of that vulnerability doesn’t provide a clear way for doing so.
Let’s take a closer look at the idea of “taking security seriously” and discuss what this actually entails. This statement can usually be boiled down to a few common goals and priorities:
VDPs help organizations achieve these goals in many different ways. We’ll discuss how VDPs on the Bugcrowd Platform specifically support the above security goals later on in this guide.
Beyond building a stronger security posture, a VDP offers several key benefits, according to an organization’s customers, partners, investors, and employees, as well as the hacker community.
Vulnerabilities are an externality that affects end users much more than owners. This means organizations should not only prioritize the security of their users’ data for users’ sake but also for the prevention of the reputational, and ultimately financial, damage organizations will incur if they fail to do so.
A VDP allows companies to reduce risk while publicly showcasing their commitment to security in a way that is both easily understood and easily verified. Partners, investors, and employees The VDP halo extends to an organization’s overall security brand, acting as a strong indicator of security posture for external stakeholders like prospective investors, partners, and other collaborators. These programs are public evidence of an organization’s culture of remediation, recognition, respect, and commitment to rapid response. For potential security hires, the presence of a VDP often signifies the influence wielded by security leadership among executive peers in Marketing, Legal, and Sales.
Any discussion on the impact of VDPs would be incomplete without due attention to the finders of vulnerabilities themselves. VDPs provide emerging hackers with the opportunity to hone their skills, while established hackers can build and extend relationships with organizations that may result in private, invite-only engagements like bug bounties. Moreover, both groups benefit from the knowledge that they are incrementally improving an organization’s security.
Most hackers are motivated by a combination of education, rewards, and recognition. Unfortunately, “recognition” is all too often lumped in with “reward.” Rewards and recognition are both gestures of appreciation but are each rooted in different measures of value. VDP rewards may come in the form of kudos swag. Recognition provided by a VDP program goes beyond an organization’s acknowledgment of a hacker’s contributions and instead refers to the ability of a hacker to have their contributions recognized by the broader security community. It is global recognition through disclosure.
Sharing security vulnerabilities with the world enables organizations to get ahead of threats before they become larger problems. Communicating how and when vulnerabilities were uncovered can drastically reduce the frequency of their creation while improving the ability of hackers to more readily spot related issues. Additionally, according to Bugcrowd’s research, organizations that adopt disclosure terms see 30% more vulnerabilities than organizations that don’t.
“Disclosure” has several meanings, referring to the communication of discovered vulnerabilities to the organization within which it was discovered and to external parties, usually in a public forum. While the first definition benefits an organization and, by extension, its direct customers, partners, and other stakeholders, the second, when done right, benefits the entire digitally connected world.
Coordinated vulnerability disclosure terms emphasize Bugcrowd’s definition of good faith in the context of finding and reporting vulnerabilities; they encourage rapid remediation while demonstrating commitment to and appreciation of the hacker community.
However, the term “disclosure” carries an unfortunate and misplaced stigma, which is holding back security standards globally. Many organizations see the disclosure of a vulnerability as an unnecessary admission of weakness that harms their reputation, but this is a short-sighted outlook. The spectrum of public disclosure includes discretionary disclosure, coordinated disclosure, full disclosure, and nondisclosure.
In addition to improving the security posture of other organizations, coordinated and discretionary disclosure policies strengthen the relationship between an organization and the hacker community. For hackers, their reputations are their brands, and receiving acknowledgment for identifying an exceptionally complex vulnerability enhances their reputation and increases their market value. Organizations that clearly state their willingness to collaborate on disclosing vulnerabilities in advance can expect better relationships with the security community, and often, greater program activity. While the rationale seems straightforward enough for both parties, disclosure decisions are not quite that simple for many organizations.
It is sometimes the case that perceived duties to stakeholders and the board can negatively impact an owner’s disclosure decisions. Embracing vulnerability disclosure creates a security-first mentality, builds an organization’s reputation within the security community, and educates a board in the process. That way, if there is ever a breach, the standard line “we take our security seriously” will carry far more weight.
Some security activists argue that the threat of full disclosure is necessary to keep owners honest and incentivize them to fix vulnerabilities. However, many owners argue that legal protections are necessary to prevent the threat of full disclosure becoming a vector for blackmail. A solid legal framework that recognizes the motivations of all parties is the best basis for facilitating vulnerability information, reporting, and remediation.
In 2020, the U.S. Federal Trade Commission (FTC), Department of Justice (DOJ), and Cybersecurity and Infrastructure Security Agency (CISA) released directives outlining the need for VDPs. With support from major legislative bodies like the National Institute of Standards and Technology (NIST), widespread adoption of VDPs is expected and necessary in the coming years.
In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules for Cybersecurity Risk Management, Governance, and Incident Disclosure. The ruling requires organizations to disclose material cyber incidents within four days of determining the criticality of the incident. To be in a position to responsibly comply, organizations must have in place the processes to meet the four-day requirement. One thing organizations can do to facilitate these processes is to provide a clear, unambiguous method for the public at large to report vulnerabilities under safe harbor, aka, a VDP.
The Binding Operational Directive 20-01 issued by the CISA requires all 100+ Federal Civilian Executive Branch agencies to develop and implement a VDP. This means that vulnerability disclosure policies are now a federal mandate.
There are just two examples of the increasingly popular belief that VDPs are a must for compliance and establish a baseline for security best practices.
Aligning the interests, incentives, and expectations of both hackers and host organizations primarily involves frequent and clear communication, but there is also a need to provide unambiguous legal clarity and assurance. Hacking, or security research, involves testing, stressing, and sometimes even breaking software to rebuild and improve it. This creates problems, given a legal system that defaults to ownership as a starting point and presumes malice to be the motive for any party who uses and abuses software outside its supposed scope. As a result, the default legal status of vulnerability discovery and disclosure excludes good faith hacking.
The Computer Fraud and Abuse Act (CFAA) prohibits the access of a computer without authorization or the exceeding of authorized access. This renders good faith testing of assets illegal where robust VDPs are not in place, and while the number of hackers convicted for related offenses is low, it has nevertheless had a chilling effect on the community; 60% of hackers do not submit vulnerabilities due to fear of legal retribution.
The Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent controls that prevent access to copyrighted material, defined to include software. This applies even to the legal owners of the products in question.
These laws were passed during a time when hacking was mostly done maliciously, before the advent of bug bounties, good faith hacking, and a thriving community of professional hackers. While the DMCA was amended in 2016 to allow hackers to work on owned consumer devices in good faith, there are still legal gaps that need to be resolved before organizations can fully benefit from VDPs.
Organizations must draft terms for VDPs to allow and incentivize good faith testing and the submission of vulnerabilities in a way that keeps lawyers happy by ruling out backdoor entry points or loopholes for malicious actors. These agreements create a legally robust “safe harbor” for well-intentioned hackers, which considerably increases the number and quality of vulnerabilities submitted.
One starting point to consider is Disclose.io, an open source standardization project that offers a boilerplate VDP framework, instilling a safe harbor and enabling good faith hacking. This provides an accessible legal agreement for the research and disclosure of vulnerabilities and standardizes terms and policies to create a more welcoming space for hackers, many of whom do not speak English as a first language and have minimal legal knowledge (keeping in mind that legal frameworks also differ between countries). The safe harbor terms from Disclose.io were adopted in 2020 by CISA DHS, voting machine manufacturers, and a number of U.S. states to encourage transparency and reporting of cybersecurity issues that could potentially impact elections.
VDPs often serve as an organization’s first foray into the world of crowdsourced cybersecurity. For many organizations, a VDP is the first opportunity to work with the hacker community. Both of these can be a little overwhelming to launch but have massive benefits.
Having a VDP is quickly becoming industry standard and is, in fact, no longer optional for some. The CISA issued a binding directive requiring all federal agencies to publish a VDP.
There are five key steps that every organization can follow to build a strong VDP:
Those willing to implement best practices in vulnerability disclosure can both set a standard among peers while differentiating themselves from their competitors. Here are some steps that can make VDPs work best for organizations, partners, and the security community.
Bug bounty programs—which some call “VDPs with rewards”—allow organizations to direct targeted, rigorous testing at business-critical assets. Similarly, pen test programs enable organizations to focus on compliance-related assets or those in which a structured methodology would improve how security posture is communicated to partners, investors, and customers. Vulnerabilities found through these programs qualify for financial rewards, so most organizations limit their scope for budgetary reasons, and they may also impose limited testing windows. While economical, this creates gaps in coverage and wrongfully assumes that all potential vulnerabilities can and will be surfaced through an exclusive (often private) crowd of hackers. 78% of organizations with a VDP run it alongside bug bounties and/or pen tests.
NIST 800-53 r5 codified the idea that a public bug bounty program is actually a subset of a VDP and is specifically a VDP where monetary rewards are optionally offered as thanks to the finder.
Each program has its strengths and limitations. Pen testing has been recognized and accepted by the auditing community, which makes it useful for assets where compliance is of particular importance. However, the limits in scope and partners involved mean pen tests can become rigid and less effective over time. VDP programs add a much-needed, yet economical, tool for catching a suspected vulnerability surfaced by anyone, anywhere. But when is the right time to implement a VDP?
The market has tied itself in knots trying to create a linear maturity model for when and how to “progress” between a VDP, Bug Bounty, and/or Pen Test. However, each should be viewed as providing complementary benefits, with adoption driven by individual goals and resources rather than maturity. Think of a VDP as the first building block in external testing. While an agreed-upon sequence might make for tidier budgeting, it also goes against the organic, adaptive, and sometimes unruly nature of security. Every organization is different.
Learn more about VDPs
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.