Practical vulnerability disclosure: VDP made easy

October 15, 2020

The security of digital innovations is a primary concern for organisations and individuals alike. New ways of testing the safety and quality of digital services emerge and establish themselves, bringing with them new possibilities to shape security. Still, the majority of digital products and services harbour vulnerabilities. It is thus crucial to identify and correct vulnerabilities as fast as possible.

What can we do to protect ourselves? Who should look for vulnerabilities? Should suppliers or users be informed? If so, when and how? These questions have been around ever since we began creating digital products and services. These questions also define a process known as vulnerability disclosure.

The appropriate management of vulnerabilities is vital to reducing digital security risks. The technical community has developed clear guidelines for reporting potentially unknown or harmful security bugs to the proper person or team responsible. Those guidelines are what we call a Vulnerability Disclosure Policy (VDP).

What is a Vulnerability Disclosure Policy (VDP) and why you need one

What is a Vulnerability Disclosure Policy (VDP)? Why do you need a VDP? All the answers in two minutes 👇

The most robust approach to establishing a secure and accessible communication channel with well-intentioned third parties is a stand-alone comprehensive VDP. It is a commitment that your organisation will receive, test, and if need be, fix vulnerabilities notified by security folks external to the business. By publishing a VDP, the organisation establishes rules that these people must respect. If they do, the organisation pledges not to take any legal action against them. This aspect is known as ‘safe harbour’. A VDP is thus a declaration with legal value.

Difference between a VDP and a Bug Bounty program

Often, when discussing what a VDP is, the question about how it differs from a Bug Bounty program comes around. These two approaches are complementary yet are not synonyms.

As you may have guessed it, a VDP is a passive approach. With a VDP, the organisation provides anyone wishing to report a bug in good faith with a communication channel. Most often, the rewards to ethical hackers are a ‘thank you’, a Hall of Fame mention or a swag.

By contrast, a Bug Bounty program is a proactive approach. The organisation mobilises the community to search for and identify bugs on strictly defined technical scopes. Under a private program—the majority of cases,—only a fraction of the community participates. Researchers who identify vulnerabilities within a Bug Bounty program receive monetary rewards according to a specific bounty grid.

Why do we insist on this distinction? Well, because it matters. Many Bug Bounty providers publish the VDP and a parallel Bug Bounty program on the same website. The difference between the two approaches is then not clear enough.

Such a set-up may create confusion for both good-faith hackers and the organisation. The mix-up leads to unpleasant situations for everyone involved: Bug Bounty hunters invest time looking for weak points and therefore expect compensation where there is none to expect. This lack of delimitation, in turn, leads to companies ordinarily receiving too many vulnerability reports, causing a lot of work and resource bottlenecks internally.

At YesWeHack – the #1 European Bug Bounty & VDP Platform, we are careful to set clear boundaries. Our approach is to provide the right guidance and tools so that VDP programs prevent mix-ups. Thus, the VDP is published on the company’s own website: it cannot be mixed up with a Bug Bounty program. Hackers can see at a glance that this is a free way to report vulnerabilities.

Launching your VDP made easy

From an operational point of view, a VDP complements pre-existing security efforts across business lines. It provides tangible input to security operations, incident response, crowdsourced or in-house security auditing and red teams.

It is also right to highlight what VDP does for the vulnerability finders. By promoting and providing a structured and accessible way to report security bugs, such a process enables smooth communication and legal clarity.

So, a properly implemented VDP reduces digital security risks for all parties involved and adds value to your organisation. Industry-standard best practices and solutions are within reach.

More info about VDP can be found here.