Responsible Disclosure Program_
Get professional help to manage your responsible disclosure or bug bounty program and reduce your internal effort.
Cybersecurity researchers routinely make their way around the web, spotting vulnerabilities, reporting them, and helping organisations fix them in a timely manner. It’s part of their professional mission, as bug hunters or security researchers.
Responsible Disclosure Program Management
Responsible disclosure means ethical hackers contact the company where they found a vulnerability to let them know and sometimes even helps them fix it. Usually companies reward researchers with cash or swag in their so called bug bounty programs.
If the company doesn’t engage in any way and disregards their report, the researchers sometimes choose to publicly disclose the issue so that the company will be motivated to fix it.
This happens because such security weaknesses impact a large number of people and can potentially cause significant losses and damage if exploited by cybercriminals.
Does your company have a process for receiving vulnerability notices from any external ethical hackers?
Does your team can make difference between valid and false positive reports?
Such a program provides cyber security researchers with a transparent set of guidelines they can use to submit vulnerabilities related to your infrastructure and assets, the offload of your team effort to triage the high quality reports and valid issues, allowing you to focus on what matters the most – fixing the issues without any headache.
This way, you ensure several important things:
- that you have a well established communication channel for infosec researchers to contact you
- that your internal security, development and PR teams know how to handle these notifications in a constructive manner
- you have a technical contact point that can check if the reports contain valid vulnerabilities or are false positive issues
Below are a couple of benefits to consider for working to set up a program like this.
6 benefits of a well-established Responsible Disclosure Program
1. Discover blind spots that your team missed and uncover how new and widespread vulnerabilities impact your security setup.
2. Benefit from the broad and deep expertise cybersecurity researchers have by making it hassle-free for them to report vulnerabilities and other security issues
3. Minimize the impact of security flaws pertaining to your assets or third-party tools and services.
4. Become aware of your flaws and fix vulnerabilities such as:
- Cross Site Scripting
- SQL Injection
- Server File System Access Bugs
- Authentication Issues
- Authorization Issues
- Account Hijacking
- Server-Side Code Execution vulnerabilities
5. Get proactive help in detecting and fixing security issues before they turn into a fully-blown compromise that puts your company in a difficult position and a reputation risk.
6. Build and strengthen a mutually beneficial relationship with the infosec researchers’ community that can help you find the right specialists to work with in the future.
Why most organisations fail at handling Responsible Disclosure Notices
Without a clear procedure in place and adequate technical resources allocated, most companies are unsuccessful in handling vulnerability notifications from ethical hackers.
Here are some of the most frequent mistakes we see organisations make:
- They don’t provide contact information that can be specifically used for security issues – this means vulnerability disclosure usually ends up in the sales or marketing department which are unqualified to provide a response
- They don’t reply to these notifications at all, leaving the researcher in a state of discontent
- They issue a superficial response which doesn’t reflect that they’re taking the disclosed issue seriously
- They don’t fix the vulnerability, making the researcher feel ignored and/or worried about legal consequences
- They don’t know if the reported vulnerability is legit or not
When a company doesn’t react or reply to such a notice, the researcher often decides to publicize the exploit after giving the organisation enough time to fix the issue (usually 1 to 3 months maximum). The purpose of making the vulnerability public is to pressure the company in addressing the problem and solve it.
You can avoid complications and benefit from a good professional relationship with ethical hackers by creating a policy that enables you to address situations like these.
How Bit Sentinel helps build and manage your Responsible Disclosure and Bug Bounty Programs
Avoid finding out from the media that your application or infrastructure is hackable and let us help you set-up your responsible disclosure policy.
The core elements we address in building this program are:
- The scope of the program, including goals, deliverables, functions, tasks, deadlines, and costs
- A series of guidelines and limitation of the program that communicate to ethical hackers what can be explored in terms of vulnerabilities, how deep they can exploit the vulnerabilities and which assets/attacks are off-limits
- Factors that make a vulnerability eligible for reporting, so you ensure that insignificant bugs don’t alert your security team uselessly
- The rewards assigned to particularly impactful vulnerabilities, an aspect that can motivate researchers to pay special attention to your organisation
- The technical and legal limitations of the program – this saves your legal and development teams time on answering case-by-case queries and gives your PR team context and speed when addressing potential issues related to responsible disclosure, including an ISO 29147 compliant disclosure policy
- The infrastructure that enables your company to receive the reports from security researchers, create tickets, and manage them internally throughout the lifecycle of patching and closing the issue
- The effort of removing false positive or duplicate reports, staying in touch with the security researcher, and many more aspects are covered by our team of experts.
Is your company prepared to handle responsible disclosure notifications?