Get a demo

How-to guides

Vulnerability disclosure policy (and how to get it right)

Everything you need to know about vulnerability disclosure policy and what it means for your business.

Tal Morgernstern | June 5, 2024

All companies strive to maintain the highest possible security standards for their products and customers. Yet no matter how secure a system or application might appear, vulnerabilities are bound to surface. Identifying these vulnerabilities is crucial, and how an organization handles its vulnerability data depends on its vulnerability disclosure policy

In this blog, we’ll break down what a vulnerability disclosure policy is and discuss its importance for businesses. We’ll also explore various security testing platforms and federal requirements in the US you should know about. 

TL;DR

A vulnerability disclosure policy enables ethical hackers and security researchers to submit vulnerability findings in a company’s networks, systems, and applications. This can not only help an organization patch critical vulnerabilities early but also spare them from the costs associated with a potential breach.

The key components of a vulnerability disclosure policy include:

  • Commitment
  • Scope
  • Safe harbor
  • Process
  • Preferences
  • Important guidelines

What is a vulnerability disclosure policy?

A vulnerability disclosure policy (VDP) enables ethical hackers to discover security vulnerabilities in a company’s products and to report them to the organization. Vulnerability disclosure policies establish transparency in the way data is handled between organizations and key stakeholders, such as customers, partners, and security researchers. 

Each company has its own VDP guidelines and program rules to promote ethical research on security vulnerabilities. This helps set boundaries on what can be tested, how tests should be conducted, and the proper channels for reporting findings. It also outlines the legal protections for security researchers, ensuring that those who follow the guidelines are not subject to legal action. 

Penetration testing plays a major role in identifying any security flaws within an organization. 

Ethical hackers act as the red team or “the attackers” during a pentest where they attempt to expose system weaknesses or other potentially high-risk vulnerabilities that can severely impact an organization’s critical infrastructure and lead to a breach.  

93

Ethical hackers reported 835 vulnerabilities across 105 websites in 2023

A recent study found that 93 ethical hackers reported 835 vulnerabilities across 105 websites and generated $450,000 in earnings through bug bounty programs. But more concerning was that security vulnerabilities from the United States Department of Defense were the most common, accounting for 10% of all reports.

Despite the lucrative rewards associated with bug bounty programs and the critical need for organizations to address urgent security flaws, there remain important questions about the potential risks that come with the embracing of ethical hacking.

Read more: What happens when bug bounties don’t work? >>

 

Why is a vulnerability disclosure policy important?

A VDP allows ethical hackers and security researchers to submit vulnerability findings in a company’s networks, systems, and applications. This is incredibly beneficial for an organization as it helps improve its security posture and reduce the risk of potential vulnerabilities going undiscovered.

70%

At least 70% of apps contain at least one security flaw after 5 years in production.

An ethical hacker can spare the organization from having to disclose a potential breach by discovering critical vulnerabilities before they reach production. 

A VDP offers organizations numerous advantages:

  • Streamlines and legalizes the vulnerability reporting process
  • Builds trust in their products and services among customers and key stakeholders
  • Maintains good compliance regulations with federal requirements  
  • Enables organizations to deploy patches more efficiently to combat discovered exploits
  • Demonstrates that companies are committed to data protection and information security
  • Spares an organization of the associated costs involved in mitigating a potential breach

Read more: Vulnerability management metrics in 2024: the ultimate guide >>

 

The key components of a vulnerability disclosure policy

Commitment 

This opening section of the VDP is mainly directed toward customers, the marketplace, and key stakeholders. It also covers how the objectives of the VDP will be achieved, such as through vulnerability reporting, and how this would reduce risk and mitigate any damage caused by cyber attacks, in terms of reputational damages and actual costs. 

Scope 

This section indicates which assets the policy covers, which products the policy is applied to, and the types of vulnerabilities that are applicable. It also outlines the types of vulnerabilities to be reported or dismissed, based on their severity. 

The scope defines where the focus of attention should be and what is prohibited. It also identifies which products are relevant and those that are not, such as older versions that might not be supported anymore. Organizations may also keep certain products off limits to protect intellectual property or sensitive data.

Safe harbor

This section of the VDP assures that the organization will not penalize nor take any legal action against those reporting vulnerabilities so long as they abide by the policy.

As the goal is to create a safe harbor and to build trust within the community of ethical hackers, the wording should therefore be clear and encouraging, not threatening or prescriptive.

Process

This section of the VDP refers to the process or methods ethical hackers use to report vulnerabilities. It provides such information as:

  • Where to submit the reports
  • How to submit the reports via email or any other secure web form
  • The specific vulnerability details to be included in the submission

The process section also deals with what should be covered in the report so that the organization can identify and analyze the vulnerability, including such details as where the vulnerability is located, its potential impact, and any other relevant technical information.

Another recommended practice is to enable ethical hackers and security researchers to submit their vulnerability reports anonymously, without fear of legal repercussions or misuse of their personal data, which would otherwise discourage them from submitting vulnerabilities.

The process section also outlines the organization’s timeframe for notifying the individual submitting the vulnerability report that it has been received. 

Preferences 

In a VDP, this non-binding section lays out how the organization prefers to handle vulnerability report assessment, in addition to its priorities. This includes the anticipated response time once a report has been submitted. 

The preferences section details: 

  • Confirmation of a reported vulnerability
  • Follow-up communication throughout the vulnerability remediation process
  • Whether finders have permission to disclose the detected vulnerabilities publicly, and when they can disclose it

Important guidelines 

Every company should outline important guidelines in their VDP to set boundaries and rules for ethical hackers.

These guidelines should include requests to provide notifications as soon as a security vulnerability has been detected and that discovered exploits should not be used to further compromise data integrity.

Read more: The ultimate guide to cyber security compliance >>

 

Vulnerability security testing platforms and capabilities 

Attracting quality security researchers and ethical hackers isn’t always so simple due to the sheer volume of organizations accepting vulnerability submissions.

As a result, many companies rely on third-party services and platforms to gain greater visibility among the research community, not to mention the wide pool of talent readily accessible. And on the flip side, for researchers, it makes it easy to find companies open to testing their systems.

The three main security testing platforms are Bugcrowd, HackerOne, and Synack. Each offers a wide range of security testing features and capabilities. Let’s have a closer look at each platform:

 

Bugcrowd

  • AI bias assessment
  • CrowdMatch
  • Attack surface management
  • Penetration as a Service (PTaaS)
  • Bug bounty
  • Vulnerability disclosure

 

HackerOne

  • Attack resistance management
  • Penetration as a Service (PTaaS)
  • Code security audit
  • Bug bounty
  • Vulnerability Disclosure Program (VDP)
  • 3 stages of continuous vulnerability discovery

 

Synack

  • Penetration as a Service (PTaaS)
  • API security testing
  • Cloud security testing
  • Security testing for AI and LLMs
  • Bug bounty
  • Attack surface management

 

Vulcan Cyber integrates with the most popular security testing platforms such as Bugcrowd, HackerOne, and Synack, enabling users to easily manage the remediation of vulnerabilities detected by a bug bounty program with a unified risk view.

Once the integration is complete, the Vulcan Platform scans the report’s findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Examples of US federal requirement vulnerability disclosure policies

Here are some examples of US government-mandated vulnerability disclosure policies, including general guidelines and testing methods. 

 

NIST Special Publication (SP) 800-216

Per NIST’s guidelines, VDP reporting should include: 

  • Product or service name and affected versions
  • An identified host or its network interface
  • Class or type of vulnerability, optionally using a taxonomy like CWE (Common Weakness Enumeration)
  • Possible root cause (or CVE if known)
  • Proof-of-concept code or other substantial evidence
  • Tools and steps to reproduce the vulnerable behavior
  • Impact and severity estimate
  • Scope assessment and other products, components, services, or vendors thought to be affected
  • Disclosure plans (specifically, embargo and publication timelines)

 

Department of Justice (DOJ)

The Department of Justice outlines its requirements and best practices for vulnerability disclosure: 

General guidelines 

  • Notifying DOJ OCIO within 72 hours of discovering any real or potential security vulnerabilities 
  • Not submitting a high volume of low-quality reports

Test methods 

  • Researchers must not establish command line access and/or persistence; pivot to other systems; escalate privileges; attempt to move laterally within the network; disrupt access to DOJ services; or introduce any malware in the course of testing
  • Researchers may not conduct physical testing or social engineering, including spear phishing, of DOJ personnel or contractors
  • Researchers may not conduct denial-of-service (DoS or DDoS) tests or other tests that impair access to or damage a system or data

Read more: The new SEC cyber security disclosure rules: What you need to know >>

 

Consolidate your vulnerability data with Vulcan Cyber

Identifying vulnerabilities is only the first step in the vulnerability management process and in keeping your systems secure. Every reported vulnerability must also be properly tracked, prioritized, and mitigated to keep your business’ security risks as low as possible.

The Vulcan Cyber ExposureOS consolidates vulnerability and risk data across all your attack surfaces from a single operational view. Prioritize vulnerabilities based on severity, threat intelligence, and actual business risk. Take proactive security measures against critical vulnerabilities and complement your VDP with Vulcan Cyber.  

Get a demo to find out how you can start owning your risk today.

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management