WHAT IS A VULNERABILITY DISCLOSURE POLICY?
A vulnerability disclosure policy (VDP), also known as the Responsible Disclosure Policy (RDP) is a legal statement by a company, that describes how a company will process vulnerability reports submitted by ethical hackers.
By publishing a VDP, a company is basically saying that it won’t prosecute or press charges against independent researchers who find vulnerabilities on their assets or products if they follow certain rules.
If you DON’T have a VDP on your website – then it automatically means that an ethical hacker can’t legally report a vulnerability he found on your website/product, without being prosecuted by law enforcement agencies.
WHY IS IT IMPORTANT TO ESTABLISH VDP ON YOUR SITE AS SOON AS POSSIBLE?
Well, for one thing having a VDP on your website greatly increases your security level, as ethical hackers will now have a legal way of reporting vulnerabilities in case they find one.
Adrian Sanabria, a VP of Strategy and Product Marketing for NopSec is even more vocal about the issue. He states that Every Business Needs a Vulnerability Disclosure Policy. Every. Single. Business.
Another reason is that it soon may be required by law. For instance, The United States House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act that would require companies to publish VDPs.
We see a clear trend both from businesses and policymakers and there’s no doubt that one day everyone will be obliged to produce a VDP. Today, companies can even receive an ISO certification on their VDP programs.
A typical structure of a Vulnerability Disclosure Policy
HackenProof is ready to assist anyone in constructing their own VDP. It’s our mission to build a safer cyberspace and helping companies construct VDP is certainly part of that. Here we explain a rough guideline to what your VDP should look like:
VDP usually starts off with a statement of commitment to the security of their product and their user’s data. A company should state why has it created this policy and why is it important. This is a message not only to ethical hackers but also to customers, media, potential partners.
2) Safe Harbor
This part is directed to ethical hackers directly and is incredibly important. Any researcher who found a vulnerability can potentially face legal actions by a company. Thus it is vital to convey a very clear message that if a researcher follows guidelines described in a VDP, legal actions won’t be pressed against this researcher. This section is all about building trust between a company and a researcher.
To help researchers understand what is what, a company should publish a scope to clearly identify assets and products that are covered by a Vulnerability Disclosure Policy. It is also a good idea to list an “out of scope” section, since a company may not want to receive vulnerabilities on older versions of products that it is not supporting anymore.
As well as listing products and assets that are within scope, companies should also identify types of vulnerabilities that are worth reporting. Not all vulnerabilities actually cause harm and companies may already know about them. Thus a clear scope will save time for researchers since they will know what to look for and where.
4) How to submit a vulnerability
In this section, companies should state what is the mechanism of submitting a vulnerability. In addition, it is worth describing what details should be submitted and in what format.
Companies should also explain what is the standard communication procedure between a researcher and a company.
The goal here is to make it as easy as possible for hackers to submit vulnerabilities to your technical team. If you make a submission process too complicated, you may discourage researchers submitting vulnerabilities at all.
5) Do’s and Don’ts
This is basically a list of preferences that detail any other aspect regarding vulnerability submission process and communication with a company’s tech team.
It is also worth including a disclosure policy in this section, as researchers might want to disclose (produce a write up) of a bug they’ve found. Clearly stating when can a researcher does that, will mitigate a problem of unwanted publications and unnecessary conflicts. After all – the aim of the whole document is to set up clear operational and communication guidelines so that both parties can benefit from the VDP.
Is there a difference between a Vulnerability Disclosure Policy and a Bug Bounty Program?
Bug Bounty Program is essentially a Vulnerability Disclosure Program with a monetary reward system that has been clearly defined. Thus, companies that have Bug Bounty Programs make an even louder statement about commitment to security, since they proactively state that they will pay for any vulnerabilities found on their site/product by ethical hackers.
Some companies forgo the VDP statement altogether and simply redirect ethical hackers to a Bug Bounty Page instead.
Publishing your Vulnerability Disclosure Policy
VDP should be published on a company’s website. Usually with a URL https://companyname.com/responsible-disclosure-policy/ or https://companyname.com/vulnerability-disclosure-policy/
All in all, it should be easily found by search engines when typing “company name responsible disclosure policy” query. Don’t make it hard for security researchers to find your VDP page
There’s even a tool for creating VDP texts. You simply fill out the form and download a file and upload it to your website. This will help ethical hackers get in touch with your technical team, in case they find a vulnerability on your product/website.
In addition, we strongly advise you to instruct your personnel how to handle emails that researchers might send your way. In case a researcher doesn’t find your VDP and sends an email “where should I send a vulnerability report” to your default message box (for example [email protected]).
Here’s an interesting post from an ethical hacker that found a race condition on Starbucks gift card. When he attempted to contact the company, Starbucks’s employee had no idea what to reply to him and started threatening him with legal action. That’s not how you should communicate with people who want to help!
As we’ve stated before, compensation for researchers who found vulnerabilities are neither specified nor required in a VDP. Moreover, in some cases it’s even against company policy to demand one:
We should point out that it’s a great idea to show respect and gratitude to the white hat community. After all, they have made your product better and safer to use.
Here are some ideas on how you can do that:
- Hall of Fame that lists all researchers that have submitted valid vulnerabilities.
- Swag packs or special offers on your services to reward the most active vulnerabilities
This will motivate researchers to dedicate more time to your product/website.
Despite the fact that many companies across the globe publish Vulnerability Disclosure Policies on their websites, the majority of companies don’t have one yet.
By publishing a Vulnerability Disclosure Policy, companies send a clear statement to both clients and partners that they care about security. Talk to a HackenProof representative, to learn how can you leverage the power of the crowdsourced security to secure your business.