13 Nov What is a Vulnerability Disclosure Program and Policy?
In the world of cyber security, the acronym VDP could mean a couple different things. But primarily, it surrounds the topic of vulnerability disclosure.
The article below covers what a vulnerability disclosure program is and the different types of policies that govern them.
Vulnerability Disclosure Programs
A Vulnerability Disclosure Program (VDP) is a program that encourages researchers to report security vulnerabilities in a company’s products, services or websites. These programs help organizations identify and repair vulnerabilities in a timely manner so they can protect their customers. VDPs usually contain a program scope, submission guidelines, a reporting process and methods of response.
Code vulnerabilities leave room for hackers to wreak havoc on data security, systems, people, or intellectual property. In order to improve product and service security, ISO/IEC 29147:2018 recommends that companies take measures to disclose vulnerabilities. This includes setting up procedures for receiving, managing, and responding to reports of vulnerabilities.
Vulnerability disclosure programs allow users to protect their systems by managing technical vulnerabilities, making it easier to prioritize defensive investments and assess risk. The objective of disclosure is to lessen the potential harm an exposed security flaw could cause.
Vulnerabilities in code, configurations, digital systems resources and processes can give hackers a chance to take over your assets. The average software application contains dozens of bugs per thousand lines of code, according to studies. In fact, there were more security vulnerabilities disclosed in 2021 than in any other year-to-date – averaging more than 50 Common Vulnerabilities and Exposures (CVEs) logged each day.
If malicious actors find defects that the development team did not, it could spell trouble. Configuration errors can also be a big security risk, especially for cloud-based applications. Often, these oversights happen during deployment.
A VDP is more successful when ethical hackers are interested and engaged. Ethical hackers are computer security experts who “hack” into networks to test and evaluate their security. They do this with the cooperation of the targeted organization, and without any malicious or criminal intent.
Ethical hackers understand how threat actors think in order to anticipate their next move. By thinking like an attacker, ethical hackers are able to highlight security weaknesses from a different perspective.
Ethical hackers conduct active reconnaissance to find weaknesses in cyberdefenses that would enable them to deliver a successful attack. Their success in identifying vulnerabilities decreases the likelihood of creating an opportunity for the next real malicious actor.
Before ethical hackers and organizations can interact, they must agree upon a set of ground rules. The most important engagement ground rules are always written in a vulnerability disclosure policy.
Vulnerability Disclosure Policies
Vulnerability disclosure policies are agreements that specify how security researchers uncover vulnerabilities, when those vulnerabilities will be reported, and which actions the organization’s security teams can take to fix them.
VDPs typically contain four main components: program scope, submission guidelines, reporting process and response methods.
Program scope is the range of the program’s goals and application, the types of products or services it covers, and the industries that it targets. In order to achieve its objectives, the scope must be clearly defined and understood by all parties involved.
The submission guidelines for VDPs are typically published on the company’s website. They usually include the type of data that can be submitted, and whether or not it should be encrypted before sending.
The reporting process for vulnerability reports specifies the vulnerability reporting channels, and whether or not they are anonymous. It also lays out the procedures for handling each type of report.
The response methods for VDPs lay out the process for how organizations will respond to and address reported vulnerabilities, including whether or not they will notify the security researcher of the status and timeline.
Handling sensitive information is critical, as most companies have strict policies regarding any kind of confidential or proprietary material. Many experts agree that vulnerability reporting is not a confidential matter, despite the fact that this information could be valuable to competitors or malicious actors.
Nevertheless, it is important to be transparent about how you are handling reports and vulnerabilities. This will help build trust between security researchers and the organization.
Examples of Vulnerability Disclosure Policies
While a vulnerability disclosure policy should be carefully crafted to fit the needs of a specific organization, there are some general best practices that organizations can follow.
Here are a number of samples and templates that you can use to get a general sense of how these policies are written.
- Cybersecurity and Infrastructure Security Agency (CISA) – Vulnerability Disclosure Policy Template
- U.S. Department of Health & Human Services Vulnerability Disclosure Policy
- Google Vulnerability Disclosure Policy
- NASA Vulnerability Disclosure Policy
As you’ll see, each of these examples is slightly different. The scope, submission process and response methods are customized based on the needs of the organization to ensure that they are addressing any issues that their specific stakeholders have.
However, the primary purpose of these policies is to define clear communication channels between security researchers and companies. They are meant to be a starting point for organizations that want to implement their own policies and guidelines.