What is Responsible Disclosure?

Benefit from the knowledge of hackers by providing them transparent rules for submitting vulnerabilities to your team with a responsible disclosure policy. There are three types of disclosure–discretionary disclosure, coordinated disclosure, and full disclosure.

WHAT IS RESPONSIBLE DISCLOSURE?

Responsible disclosure is a process that allows hackers to safely report found vulnerabilities to your team.

It can be a messy process for hackers to know exactly how to share vulnerabilities in your applications and infrastructure in a safe and efficient manner. Generating a responsible disclosure policy can be confusing and time-consuming, so many organizations do not create one at all.

To help organizations adopt responsible disclosure, we’ve developed an open-source responsible disclosure policy your team can utilize for free.

Many organizations choose to implement vulnerability disclosure programs to help with this. By having a dedicated platform to simplify the reporting process, it makes it easier for hackers to submit their findings.

FULL DISCLOSURE – WHY IT’S NOT IDEAL

Occasionally a hacker may discover a flaw in your app. This leaves the hacker responsible for reporting the vulnerability. In most cases, a hacker will privately report the breach to your team and allow your team a reasonable timeframe to fix the issue. In some cases, they may publicize the exploit to alert directly to the public.

Disclosing a vulnerability to the public is known as full disclosure, and there are different reasons why a hacker may go about this path. A hacker may disclose a vulnerability if:

  • They are unable to get in contact with the company.
  • Their vulnerability report was ignored (no reply or unhelpful response).
  • Their vulnerability report was not fixed.
  • They felt notifying the public would prompt a fix.
  • They are afraid of legal prosecution.

While not a common occurrence, full disclosure can put pressure on your development team and PR department, especially if the hacker hasn’t first informed your company. These scenarios can lead to negative press and a scramble to fix the vulnerability.

IS FULL DISCLOSURE MORALLY SOUND?

If a finder has done everything possible to alert an organization of a vulnerability and been unsuccessful, Full Disclosure is the option of last resort. Some security experts believe full disclosure is a proactive security measure. Their argument is that the public scrutiny it generates is the most reliable way to help build security awareness. Others believe it is a careless technique that exposes the flaw to other potential hackers. Regardless of which way you stand, getting hacked is a situation that is worth protecting against.

RESPONSIBLE DISCLOSURE – GETTING STARTED

A responsible disclosure policy is the initial first step in helping protect your company from an attack or premature vulnerability release to the public. The best part is they aren’t hard to set up and provide your team peace of mind when a hacker discovers a vulnerability. Getting started with responsible disclosure simply requires a security page that states:

  • What parts or sections of a site are within testing scope.
  • The types of bugs and vulnerabilities that are valid for submission.
  • A dedicated security email address to report the issue (often security@example.com).

Best practices include stating response times a hacker should expect from the company’s security team, as well as the length of time for the bug to be fixed. If you’d like an example, you can view Bugcrowd’s Standard Disclosure Policy, which is utilized by its customers. If you want to get deeper on the subject, we also updated our Ultimate Guide to Vulnerability Disclosure.

Another reason why this is important is it provides legal protection for hackers. There is a growing focus on ensuring protection for hackers. Some jurisdictions are taking steps to safeguard hackers who responsibly disclose vulnerabilities from facing repercussions.

Implementing a responsible disclosure policy will lead to a higher level of security awareness for your team. Bringing the conversation of “what if” to your team will raise security awareness and help minimize the occurrence of an attack.

At Bugcrowd, we’ve run over 495 disclosure and bug bounty programs to provide security peace of mind. Whether you have an existing disclosure program or are considering setting up your own, Bugcrowd provides a responsible disclosure platform that can help streamline submissions and manage your program for you.

If you’re interested in learning more about vulnerability disclosure, here are a few places to start:

Ready to get started with Bugcrowd? Just head to this page. Our team will be happy to go over the best methods for your company’s specific needs. 

More resources

Report

Inside the Mind of a CISO: Resilience in an AI-accelerated World

Read More
Report

Report: Inside the Mind of a Hacker

Read More
Guide

Ultimate Guide to Crowdsourced Security in the Public Sector

Read More

Get Started with Bugcrowd

Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.