Turnkey VDP Open Source: making a difference in enhancing cybersecurity as a “public good”
October 25, 2022
The 10th edition of the European Cybersecurity Month (ECSM) which is the well-known European Union’s annual campaign dedicated to promoting cybersecurity among EU citizens and organisations, is coming to an end.
For this year, YesWeHack wishes to contribute it not only with the usual statements on the importance to be aware of the cyber risk but with a concrete move: the release of our turnkey VDP solution as open-source tool to get responsible vulnerability disclosure more widespread.
Cybersecurity as a “public good” and recent positive policy trends
As the risk of cyberattacks linked to the exploitation of vulnerabilities will invariably increase with digital transformation of our life and the ever-expanding attack surface of new digital technologies, a different approach to cybersecurity is needed.
First, security is all about transparency. Every organisations should be as transparent as possible about security issues that come to light. This will help building trust and reputation with users of new technologies. When it comes to cybersecurity, the key message is to ensure that all users have access to the expected level of robustness and security of digital solutions. These elements should be adequate to the purpose of the deployment of new technologies.
Secondly, managing cybersecurity as a public good, as suggested by the WEF, would imply that costs are shared equitably among all the relevant stakeholders. As for other public goods like streetlights and national defence, the public sector could set standards or shoulder some part of the costs and the users will contribute by paying taxes.
Finally, approaching cybersecurity as a public good would also trigger and encourage more shared responsibilities among the different stakeholders, and fostering collaboration.
Over the last years, some international and inter-governmental organisations have taken relevant actions promoting the issue of vulnerability disclosure policy (VDP) as a public policy topic and providing a strong political commitment toward that end.
The OECD, with its working group on Security in the Digital Economy, has promoted the topic of encouraging responsible vulnerability treatment among its members. The CyAN Global Coalition to Protect Cyber Researchers is also an important step to push for consistent legal immunities for bona fide zero day researchers. Then, the European Union has put in place several regulatory initiatives promoting the use of VDP: the Cybersecurity Act, the update of the NIS Directive and the recent proposal on Cyber Resilience Act are all encouraging Member States and private organisation to design and deploy VDP to facilitate the reporting, detection, and remediation of vulnerabilities.
It is without no doubt that international public stakeholders acknowledge the appetite and need for a more transparent way to report vulnerability. Even more important, all these initiatives highlight the need for a regular institutional dialogue that would give the chance for all stakeholders, including ethical hackers, to participate in an inclusive and transparent manner. However, CVD programmes are still facing important challenges: users’ lack of knowledge of the rules of engagement managing these activities, the fact that some companies are still insufficiently aware of the need to patch vulnerabilities detected in their software, and to the heterogeneity of the processes specific to each organisation. Finally, CVD policies are not yet generalised or harmonised. Given this context, what are the means and best practices for generalising the implementation of these programmes?
The “MyOpenVDP” released today is a simple and turnkey website allowing anyone to host their own VDP. As for our commercial offering, YesWeHack will continue providing a fully managed and integrated solution for managing vulnerability reports at scale in a seamless manner.
Our initiative reflects our decade of security expertise in Europe and long-term investments and a deep commitment to CVD approach, ethics, transparency, and compliance with European laws.
Since wild disclosure or not reporting a vulnerability due to a lack of communication channels puts users at risk and can impact the reputation of the provider, CVD is the only way to turn these liabilities into opportunities and build trust.
At YesWeHack we can leverage on FireBounty.com, a unique and comprehensive online repository that continuously crawls the web to reference existing vulnerability disclosure policies. FireBounty.com exists since 2015 with the primary purpose of allowing security researchers to find disclosure policies of any kind, be it Hall of Fame or Bug Bounty programs paying monetary rewards. So far, FireBounty.com harbours close to 25,000 VDPs, making it the world’s most complete VDP directory.
While global giant tech players have a commercial interest in contributing to “EU’s digital decade” and marketing non-European solutions during the ECSM, the release of MyOpenVDP constitutes a simple but far-reaching move for a long-term approach to cybersecurity as a public good.
Finally, for those who want to scale and industrialise the VDP, they will always be able to upgrade the solution to the paid version which remains customisable and integrated into the YesWeHack platform. This will allow the entity to manage and control all their vulnerability reports taking advantage of the features of our platform. For more information, contact us.
Conceiving cybersecurity as a public good would be decisive for the attainment of the global economy and society prosperity, for it will help to improve the overall security of our societies and their stability. Our commitment to collaboration and innovation has always inspired our action: we will continue providing concrete tools and action-oriented proposals to promote the widespread use of CVD by all organisations.
More info on our GitHub: https://github.com/yeswehack/my-open-vdp
Founded in 2015, YesWeHack is a global Bug Bounty & VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 45,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.
In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.
More info: www.yeswehack.com