Overcoming the challenges of vulnerability disclosure programs 

By Ashish Gupta

At its core, security isn’t a technology problem—it’s a people problem. To compete against an army of malicious hackers and stay ahead of their strikes, what’s needed is an equivalent army of human allies who can dig into software code to find the root causes of security vulnerabilities.

This situation is somewhat comparable to communities with Neighborhood Watch programs that encourage neighbors to report any suspicious activities to maintain a shared sense of security. If you saw your next-door neighbors’ garage door was left open all night, you probably would notify them about it, and hope they would do the same for you.

In a similar way, vulnerability disclosure programs provide a secure platform for ethical hackers to report any security vulnerabilities to organizations including banks and financial institutions. A typical vulnerability disclosure program, or VDP, is based on a framework that compiles researcher findings whenever they discover new bugs or threats. Such programs also include a triage process to prioritize security risks, report them to the organization and provide workflows to remediate any problems that are found.

VDPs provide a publicly available channel for researchers to submit security vulnerabilities to an organization. Vulnerability disclosure programs are an effective way to report potential security risks in a formalized and consistent manner. They also include a channel for the reporter to be notified that the receiver got the message.

This approach helps establish a “see something, say something” mindset within an organization. In this way, VDPs mitigate risks by enabling the disclosure and remediation of vulnerabilities before they can be exploited by bad actors. For this reason, a VDP should be a baseline security standard for every organization, just as common as a firewall.

Overcoming complexity when creating a VDP

In the case of a bank, the potential attack surface grows as the organization increases in size. That escalation can quickly spiral out of control as security vulnerabilities proliferate, overwhelming security teams with a flood of incoming reports.

For this reason, VDPs require some method to triage the security risks coming from researchers and prioritize the most pressing problems for immediate attention and remediation. In cases known as “responsible disclosure,” the vulnerability is only disclosed after there has been enough time to patch or close the issue. Since developers require some time to create a fix, the disclosure timeframe can range from a few days to several months.

Other cases involve “full disclosure” when the vulnerability is disclosed as early as possible. Full disclosure makes the information accessible to the public, which increases the risk of exploitation, but it also provides for wider research support and advanced preparation. The goal with full disclosure is to notify affected parties immediately so they can take the needed precautionary steps.

Large financial organizations are recognizing that malware is a publicly available commodity that makes it easy for anyone to become an adversary. At the same time, many companies have maintained brittle security solutions that make it harder to defend against current attacks. Security researchers or hackers undergo a vetting period at Bugcrowd. VDPs are a great way to test skills, improve performance metrics and build reputation.

Creating a dynamic channel for shared communications

The solution to this ongoing security threat is to create a vulnerability disclosure program, an essential tool for any layered cybersecurity approach. In effect, a VDP opens a communication channel to external researchers, while also encouraging current customers who use a bank’s products and services to participate in the feedback loop. By opening such a reporting channel to an army of ethical security researchers and regular consumers, financial organizations can demonstrate their commitment to protecting their digital assets and customers, while also responding quickly to address known risks.

An effective VDP carves out a global channel for vulnerability reports and publicly demonstrates that your bank is doing everything possible to protect its customers, partners and suppliers. Use of VDPs is a great way to proactively get vulnerabilities reported. However, VDPs are not appropriate for continuous, active threat testing. They also are not intended to find the most serious security vulnerabilities. In addition, VDPs cannot focus testing on a particular area, and they cannot restrict researcher access.

VDPs encourage researchers to report any threats they find in internet-facing assets for a predictable cost. In contrast to bug bounties, submissions are not incentivized by cash rewards. Providing recognition after the vulnerability has been resolved is one way to incentivize a researcher. Publishing a vulnerability report after it has been fixed is another common attribute of a VDP, which gives researchers an opportunity to share their knowledge. Such VDP initiatives work to enhance an organization’s reputation for taking cybersecurity seriously, while also fulfilling its mandatory compliance requirements.

Ashish Gupta is CEO and president of Bugcrowd.