Font Size: A A A


What are vulnerability disclosure programmes?

Tod Beardsley, pictured, Director of Research, at cyber firm Rapid7, discusses the critical role of vulnerability disclosure in business security.

It shouldn’t come as a surprise to anyone that all networks and software are potential access points for cyber attackers. Breach after breach is reported in news across the globe, and the risk isn’t going away any time soon. We’ve seen the threat of cyberattacks grow exponentially over the past year, with more and more businesses depending on online services to conduct their everyday activities. The FBI has reported cyberattacks increasing by 400 per cent since the start of the pandemic.

Despite this, many businesses are still failing to capitalise on the opportunity to access friendly hackers to report flaws in security. CISOs may have recruited the best of the best software, QA, and platform engineers. However, without using the knowledge of the tens of thousands of talented hackers around the world, the most critical vulnerabilities in a business’s products and services may never be exposed.

As organisations deploy more complex environments with numerous online applications, the potential attack surface expands and tracking and assessing security becomes increasingly difficult. A successful pre-emptive approach to vulnerability mitigation is coordinated vulnerability disclosure (CVD), by way of a vulnerability disclosure programme (VDP).

VDPs provide the global community of ethical hackers or researchers with a secure channel to report any security issues or vulnerabilities. Simply, a VDP is a set of guidelines that white hat hackers can follow to report a vulnerability to an organisation in good faith. Depending on the company policy, they may be eligible for reward or recognition.

Through a VDP, businesses can get a heads up on security holes in their products and technical infrastructure. Once the threat is validated, the security team can begin working on a patch before the vulnerability is made public and potentially exploited by a malicious hacker. What’s more, implementing a VDP demonstrates a level of ‘security maturity’ by which the security of a company’s digital assets is taken seriously. At the same time, it shows customers you care about the security of their data.

Every business’s VDP will be different — ideally reflecting the specific threat profile, regulation requirements, and assets of each company. Although, there are some components that should be shared by all VDPs. For example, the VDP should clearly demonstrate a commitment to customers and other stakeholders potentially impacted by security vulnerabilities. It should set out the scope of acceptable submissions, whilst reassuring researchers that good-faith efforts will not result in legal action. As well as setting out the full process from submission through to response.

VDPs amongst the FTSE 350

Despite bringing benefits to security, many organisations are failing to reap the rewards of a VDP. Publicly accessible VDPs are almost non-existent across the companies listed in the FTSE 350, which, in turn, makes it challenging for them to constructively learn about vulnerabilities in products and technical infrastructure.

An investigation by Rapid7 in April 2021 worryingly discovered just 15 vulnerability disclosure programmes across the FTSE 350 businesses — accounting for only 4pc of the listings. Whilst some of the companies appearing not to offer a VDP do, in fact, have a process for receiving vulnerability intelligence, the absence of an easily discoverable VDP drastically undermines the effectiveness of the VDP. As well as discouraging the reasonable and responsible disclosure of newly discovered vulnerabilities in products, services, and infrastructure by researchers.

Implications of lacking a VDP

VDPs are critical to businesses when it comes to staying ahead of the ever-increasing number of attackers. They act as a bridge to an enormous community of well-meaning investigators all sharing the same goal: a safer and more secure internet. It is, of course, possible to disclose vulnerabilities to businesses without a formal VDP. But without one, inefficiencies and risks are introduced. Without a clear procedure to follow, security teams can become overwhelmed at the number of unorganised vulnerability submissions. As well as this, legal risks are imposed for researchers when it’s not made clear how an organisation will respond to vulnerability submissions.

A functioning VDP signals that a given company has invested time and money into their cyber security programme, so it can be inferred that the absence of a VDP is signalling the opposite. If a company has a website privacy policy, it should also have some formal method for receiving and handling vulnerability reports. So, when it comes to managing reputation, the lack of a VDP may raise questions from customers about the security of their data. After all, VDPs aren’t just for reporting bugs in software applications, they’re also useful for reporting sensitive data discovered about customers or company internals on insecure cloud storage.

Seek assistance

Launching and running a successful VDP may unearth some new challenges. However, with cybercriminals thriving in today’s hyper-technical business environment, it’s more important than ever to seek assistance from ‘the good guys’.

As adoption grows, businesses must be ready to receive vulnerability data from external parties with clear policy, robust communication channels, and backend processes allowing issues to be resolved quickly. ISO 29147 and ISO 30111 are excellent starting points for building, maintaining, and improving a vulnerability disclosure programme — having been developed in partnership with internationally recognised experts in the field of vulnerability disclosure.


Related News