Vulnerability disclosure programs (VDPs) are structured frameworks or processes for organizations to document, submit, and report security vulnerabilities to all other relevant organizations. Being ready and able to address vulnerabilities before they become problems is an essential part of any cybersecurity strategy.
While VDPs are not currently required by law, the U.S. government encourages vulnerability disclosure programs as a proactive approach to cybersecurity. A successful VDP manages possible risks across an attack surface, protecting your organization and data from incidents before they occur.
What is a Vulnerability Disclosure Program?
A website or software application may contain thousands of lines of code, which can include bugs not caught internally, even through routine testing during the software development process. This creates potential exploits that hackers or cybercriminals can leverage.
A vulnerability disclosure program is a unified process where security researchers, end-users, and the greater cybersecurity community report security flaws/vulnerabilities in a company’s publically accessible, web-facing assets. This methodology includes voluntarily submitted vulnerability reports, vulnerability ranking, and monitoring any remediation process.
When vulnerabilities are identified by security researchers, your organization can then assess and correct those areas before they become exposures. VDPs operate as a “safety net,” or “neighborhood watch program” providing your organization the opportunity to address vulnerabilities before a threat actor takes advantage of them. Every VDP is slightly different, and often customized to a company’s individual assets, specific regulations or requirements, and threat profile.
Vulnerability Disclosure Programs vs. Bug Bounty Programs
The main difference between VDPs and bug bounty programs is that VDPs do not offer clear monetary incentives, ie: “bounties” for reported vulnerabilities. Instead, a VDP simply provides a safe channel to report those vulnerabilities, and any reports are submitted at the discretion of outside parties, like security researchers, partners, etc.
It’s the equivalent of “see something, say something” for outside parties. However, if a VDP is successful and provides benefits, an organization can launch a formal bug bounty program to continue bolstering its security presence. Even if an organization only utilizes a VDP, it still provides a huge enhancement in security.
Why Do Companies Need a Voluntary Disclosure Program?
In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD 20-01), requiring federal agencies to establish policies enabling the public to contribute and report vulnerability disclosures. Cybersecurity vulnerabilities are inevitable, so being aggressively proactive is vital to protecting frameworks and preventing data breaches. Vulnerability disclosure programs provide a process for actively searching, identifying, and remediating vulnerabilities, giving stakeholders and customers peace of mind.
Demonstrate Security Maturity
When an organization has a unified VDP, it demonstrates that they are committed to protecting not only its own digital assets and information systems but also protecting any data it may provide to customers. They understand that cyber threats are broad and ever-changing, and reaching out to the global community of ethical hackers to provide feedback only enhances their own personal security framework. VDPs also assist in building trust from the perspective of the end-user and external stakeholders.
Formalize Security Feedback & Cooperation
A vulnerability disclosure program provides a process for positive and productive engagement with the greater cybersecurity community. There is a step-by-step process to collectively share and identify vulnerabilities between security researchers and organizations, establishing cooperation between both parties. Acting in good faith, security researchers and hackers can assist organizations to create the best and most secure publically accessible, web-facing assets.
Meet Compliance Requirements
While not formally regulated, the United States Government does encourage VDPs as one of the best practices for cybersecurity strategy and management. Following suit, the NIST and DOJ also recommend VDPs as additional measures to consistently monitor risks and vulnerabilities across organizations.
Who Benefits from a Vulnerability Disclosure Program?
VPDs provide an additional layer of cybersecurity by identifying existing vulnerabilities and addressing risks before those vulnerabilities turn into problems. But the benefits of a comprehensive VDP extend beyond primary prevention for various organizations, the greater cybersecurity community, end-users, and beyond.
Cybersecurity is obviously a priority for organizations, but VDPs allow them to go a step further. Internal security teams regularly reduce risk through their established protocols and testing, but they do have a limit. In order to balance timelines, costs, and availability, internal security teams can only do so much. A VDP continues to monitor that security risk beyond the typical development lifecycle of standard software, illuminating vulnerabilities that may slip through the cracks.
Many government agencies across the United States have implemented VDPs to identify vulnerabilities and address them in a timely fashion. In 2016 the Department of Defense (DOD) ran a pilot program called “Hack the Pentagon” that allowed qualified participants to identify vulnerabilities across their public web pages. Following suit, other federal agencies and government agencies did the same. Cybersecurity is vital for these public-facing surfaces, identifying problems before they occur and eliminating data breaches or potential downtime.
End-Users and Customers
End-users and customers always want to make sure the organizations they work with have solid cybersecurity strategies. But often, those strategies can be difficult to explain to an individual with a limited understanding of cybersecurity practices. A vulnerability disclosure program allows organizations to showcase their priority to security publically, in a way that is simple to see, understand, and verify—all while addressing vulnerabilities and reducing risk.
Perhaps one of the most unique benefactors of VDPs is security researchers. While anyone can submit reports within a VDP, these programs are typically utilized by trained security researchers, ethical hackers, or other individuals looking for opportunities to practice their skills.
These individuals work in good faith, meaning they are not submitting reports to showcase just how many security vulnerabilities an organization has, but working together to make sure the organization stays secure while growing their own skillset along the way. Participation for security researchers revolves around education, personal standing, and altruism.
Types of Vulnerability Disclosure Policies
Earlier this year, the Biden Administration called for coordinated vulnerability disclosure across all technology types and sectors, focusing on collecting and sharing information about flaws in software, hardware, and systems nationwide. These disclosures differ based on the level of transparency involved, and often also consider how an organization handles vulnerability management. Vulnerability management refers to a risk-based approach that identifies, prioritizes, and remediates vulnerabilities and misconfiguration. The following types of vulnerability disclosures are the most common among existing VDPs and can be configured for specific organizations based on their needs.
Non-Disclosures are fairly straightforward. They forbid a reporter or security researcher from disclosing publically any part of the vulnerability identified, even after remediation. Regardless of the gravity of the finding, no vulnerability can be shared when a non-disclosure agreement is in effect. While these programs may accept submissions, they often do not encourage them.
Coordinated or Discretionary Disclosures
Coordinated or discretionary disclosures allow public disclosure of a vulnerability. Depending on an organization’s specific security needs, this may be a whole disclosure, partial disclosure, or determined specifically by case. However, if the vulnerability identified impacts human health and well-being, it may not be disclosed publicly. This is typically the case when disclosing a vulnerability creates a significant risk to customers, for example, when dealing with vehicles, pacemakers, or other IoT devices that are difficult to recall or update remotely.
One of the most common types of disclosures used in VDPs is called time-boxed disclosures. The name comes from the “timer” set for every vulnerability identified. Typically, a timeframe is established between an organization being notified of a vulnerability, and when security researchers can publically disclose the vulnerability. This type of VDP provides a time period for the organization to secure the vulnerability before it is public, essentially showcasing its commitment to quickly addressing and fixing critical vulnerabilities.
Full disclosure, unlike other approaches, is not typically a program policy. This is an instance of public communication where a vulnerability identified by an individual is publicly disclosed before it has been fixed. Full disclosures may be necessary to force unresponsive owners to address vulnerabilities.
However, disclosures should always protect both the owner and reward the finder, persuading future cooperation and enhancing the relationship between organizations and the cybersecurity community. With this in mind, both full disclosures and non-disclosures are uncommon because they only benefit one party.
What Makes a Vulnerability Disclosure Program Successful?
Vulnerability disclosure programs, at their core, are not very complicated. In simple terms, a VDP establishes a framework for external parties, like security researchers, to report vulnerabilities—and a process for affected organizations to receive those reports and remediate those vulnerabilities. However, there are a few key components that make up successful VDPs, focused on both organizations and finders.
VDPs should clearly identify to researchers the scope of the policy, including which products, systems, supply chains, and vulnerability types are covered. Included should be direction on restricted techniques that may negatively impact an organization’s operations, such as a DDoS (distributed denial-of-service) attack. This scope is flexible, and will naturally change over time as assets and research techniques evolve. When an organization first establishes a VDP, its scope may be minimal, but over time, all VDPs should aim to cover an organization’s entire digital environment.
Process & Expectations
Similar to scope, a vulnerability disclosure program should have a detailed step-by-step process for security researchers to follow. It is also essential to set expectations on how long your organization will take to acknowledge, assess, triage, communicate, and remediate reported vulnerabilities. A comprehensive VDP should clearly define processes and expectations in advance to prevent miscommunications and misunderstandings.
Organizations with VDPs should aim to stay in regular communication with participating researchers throughout the vulnerability reporting process. Examples of this include setting reasonable timeframes for responding to security researchers or specific points of contact at an organization. Additionally, consider recognition for members of the security research community who pinpoint vulnerabilities, giving credit to the individuals who play a role in keeping an organization’s digital presence secure.
One of the most interesting components of some vulnerability disclosure programs is a “safe harbor,” which provides legally binding assurance that security researchers do not face legal action or penalties for searching and identifying vulnerabilities in good faith. This is a significant incentive for the security research community, as it creates a layer of protection for finders. However, some organizations prefer to not include comprehensive safe harbors, instead opting for agreements that protect security researchers unless they do not comply with the terms and scope of a VDP.
Best Practices for Managing a VDP
Beyond simply establishing a VDP and identifying key components, organizations should also apply best practices that allow their vulnerability program to work seamlessly for themselves, their partners, and the global security research community.
Communication is key when employing and using a vulnerability disclosure program. Security researchers who choose to report vulnerabilities should be able to fully understand an organization’s process and what to expect along the way.
Provide Clear Legal Guidance
During the VDP process, provide clear legal guidance using standardized terms and examples. For example, the Computer Fraud and Abuse Act (CFAA) prohibits accessing a computer without authorization or exceeding authorized access, so many security researchers are hesitant to test assets where robust VDPs are not in place. Communicate clear legal boundaries in order to help security researchers understand their role and protections during the VDP process.
Ground Interactions in Good Faith
Teamwork is vital during the VDP process. While it may feel unsettling to allow security researchers and ethical hackers to pinpoint an organization’s vulnerabilities, the motivation behind it is rooted in altruism and securing an organization’s assets. With this in mind, interact in good faith and remember that a successful VDP benefits both an organization and security researchers.
Focus on Remediation
Remember the entire purpose of a vulnerability program is to enhance your security posture and better protect your end-users by removing vulnerabilities. Prioritize that protection by addressing and remediating any reported vulnerabilities in a timely manner. Not only will this protect your end-users, but also showcase how your VDP is working as planned.
Troubleshoot the Process
Regardless of how organized and thought-out a vulnerability disclosure program is, pain points will occur over time, illuminating areas to work on. Troubleshoot this process over time, addressing any pain points. Be sure to include security researchers in this process, who can provide areas of improvement from their end as well.
Integrate into Existing Security Landscape
Remember that even the most robust vulnerability disclosure program is just one piece of a larger cybersecurity landscape that involves multiple tools and processes designed to keep an organization safe. Routinely review the existing security landscape, implementing new best practices
Know Your Limits
Not all organizations may feel ready to build and implement a vulnerability disclosure program. While helpful, they may feel overwhelming for an organization just beginning to build its cybersecurity ecosystem. Communicate internally to identify best practices and tools appropriate for your organization’s specific needs, or consider working with a VDP Provider Team for basic implementation.
Using Vulnerability Disclosure Programs as a Cybersecurity Tool
Also known as coordinated or responsible disclosures, vulnerability disclosure programs provide a framework for security researchers to report security issues, vulnerabilities, or bugs to an organization. Those vulnerabilities can then be addressed and remediated by an organization, creating a more secure and safe digital presence.
VDPs are just one building tool among many in an organization’s cybersecurity toolbox. The best type of toolbox is one with many different tools that can address a variety of problems. Your organization’s approach to cyber risk management should be similar, with a diverse set of tools that can identify, address, and prevent future vulnerabilities, breaches, or infiltrations. Consider adding a vulnerability discourse program to your organization’s baseline cybersecurity toolbox in order to enhance your data security and protect your end users.