Showcasing your vulnerability disclosure policy to the world

January 23, 2020

Every business needs a vulnerability disclosure policy. Thankfully, a growing number of organisations have one. Yet, those programs are not always a click away. Here’s to a unique plugin for both Chrome and Firefox, because making it easy to report issues need not be much work.

We are all too familiar with the quotidian data breach debacle that organisations go through more often than not. Besides, the initial notice frequently comes from an “anonymous report” or a disgruntled ethical hacker tweeting about your mishandling their repeated vulnerability notifications.

Those are situations we observe, yet many still struggle with preparing for them and the PR mess that inevitably follows. Shooting the messager, coming up with statements that look pretty much like they have been randomly generated, or not responding for months, are all symptoms that you are ill-prepared to handle reports from the broader security community.

The good news: I can haz a VDP

One robust approach to preventing stinky headlines and loss of trust from customers and partners is a vulnerability disclosure policy (VDP). That policy is a commitment that your organisation will receive, evaluate, and if need be, fix vulnerabilities notified by security folks external to the business.
A VDP also clarifies that you will not go after ethical hackers willing to help you improve the security of your service or product.

For a VDP to be efficient, it needs a few essential elements:

  1. Scope: clearly state what is what, identifying assets that your VDP covers.
  2. Safe harbour: specifically directed at ethical hackers, this bit confirms your commitment to not prosecuting well-intentioned researchers who report a vulnerability. That part is particularly important as legal clarity across organisations and countries is extremely challenging to achieve.
  3. How To: the precise mechanism your organisation has set up and, ideally, the details you would want to see added to a vulnerability report. The aim here is to make said report the most useful possible to the organisation’s technical team.
  4. DO’s and DON’Ts: anything you find relevant to smoothen communication.

You get it right: setting up such a policy implies you have thought out roles and responsibilities internally. Rather than a burden, setting a VDP and organising it is a way of developing talent, breaking silos and improving security altogether.

The better news: Showcasing your VDP has never been easier

You have a VDP; you need to feature it prominently on the organisation’s website so it is accessible to anyone who needs it. One way of doing so is creating a dedicated webpage, such as F-Secure.

Another way is thanks to a simple tool that comes in handy, namely security.txt. You fill in the form, download the file and upload it to the business’s website. Your security.txt can contain contact details, or else the link to your ongoing Bug Bounty program. Indeed, a Bug Bounty programme is a vulnerability disclosure policy with a monetary reward system.

Whichever way you choose, you will want it to be known. Well, now, there is a plugin for that! Enter YesWeHack VDP Finder, the go-to Chrome and Firefox plugin . Whenever you browse the web, the plugin indicates whether a VDP exists. Because making it easy to report issues does not need to be much work!

Download for Chrome:

Download for Firefox:

[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop

Wanna go for a cool – and secure – carpooling service?

[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop

We have marked cases where a VDP exists without a security.txt as “room for improvement” to highlight that security.txt is a (draft, for now) standard. As such, it makes locating a VDP policy even easier since one needs no extra browsing to find the contact detail: the security.txt file is always present at www.mywebsite.tld/.well-known/security.txt

[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop

Like, really?