ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Overcoming the challenges of vulnerability disclosure programs 

May 19, 2022
Reading Time: 3 mins read
Overcoming the challenges of vulnerability disclosure programs 

By Ashish Gupta

At its core, security isn’t a technology problem—it’s a people problem. To compete against an army of malicious hackers and stay ahead of their strikes, what’s needed is an equivalent army of human allies who can dig into software code to find the root causes of security vulnerabilities.

This situation is somewhat comparable to communities with Neighborhood Watch programs that encourage neighbors to report any suspicious activities to maintain a shared sense of security. If you saw your next-door neighbors’ garage door was left open all night, you probably would notify them about it, and hope they would do the same for you.

rightwards arrow
View more
risk and compliance articles

In a similar way, vulnerability disclosure programs provide a secure platform for ethical hackers to report any security vulnerabilities to organizations including banks and financial institutions. A typical vulnerability disclosure program, or VDP, is based on a framework that compiles researcher findings whenever they discover new bugs or threats. Such programs also include a triage process to prioritize security risks, report them to the organization and provide workflows to remediate any problems that are found.

VDPs provide a publicly available channel for researchers to submit security vulnerabilities to an organization. Vulnerability disclosure programs are an effective way to report potential security risks in a formalized and consistent manner. They also include a channel for the reporter to be notified that the receiver got the message.

This approach helps establish a “see something, say something” mindset within an organization. In this way, VDPs mitigate risks by enabling the disclosure and remediation of vulnerabilities before they can be exploited by bad actors. For this reason, a VDP should be a baseline security standard for every organization, just as common as a firewall.

Overcoming complexity when creating a VDP

In the case of a bank, the potential attack surface grows as the organization increases in size. That escalation can quickly spiral out of control as security vulnerabilities proliferate, overwhelming security teams with a flood of incoming reports.

For this reason, VDPs require some method to triage the security risks coming from researchers and prioritize the most pressing problems for immediate attention and remediation. In cases known as “responsible disclosure,” the vulnerability is only disclosed after there has been enough time to patch or close the issue. Since developers require some time to create a fix, the disclosure timeframe can range from a few days to several months.

Other cases involve “full disclosure” when the vulnerability is disclosed as early as possible. Full disclosure makes the information accessible to the public, which increases the risk of exploitation, but it also provides for wider research support and advanced preparation. The goal with full disclosure is to notify affected parties immediately so they can take the needed precautionary steps.

Large financial organizations are recognizing that malware is a publicly available commodity that makes it easy for anyone to become an adversary. At the same time, many companies have maintained brittle security solutions that make it harder to defend against current attacks. Security researchers or hackers undergo a vetting period at Bugcrowd. VDPs are a great way to test skills, improve performance metrics and build reputation.

Creating a dynamic channel for shared communications

The solution to this ongoing security threat is to create a vulnerability disclosure program, an essential tool for any layered cybersecurity approach. In effect, a VDP opens a communication channel to external researchers, while also encouraging current customers who use a bank’s products and services to participate in the feedback loop. By opening such a reporting channel to an army of ethical security researchers and regular consumers, financial organizations can demonstrate their commitment to protecting their digital assets and customers, while also responding quickly to address known risks.

An effective VDP carves out a global channel for vulnerability reports and publicly demonstrates that your bank is doing everything possible to protect its customers, partners and suppliers. Use of VDPs is a great way to proactively get vulnerabilities reported. However, VDPs are not appropriate for continuous, active threat testing. They also are not intended to find the most serious security vulnerabilities. In addition, VDPs cannot focus testing on a particular area, and they cannot restrict researcher access.

VDPs encourage researchers to report any threats they find in internet-facing assets for a predictable cost. In contrast to bug bounties, submissions are not incentivized by cash rewards. Providing recognition after the vulnerability has been resolved is one way to incentivize a researcher. Publishing a vulnerability report after it has been fixed is another common attribute of a VDP, which gives researchers an opportunity to share their knowledge. Such VDP initiatives work to enhance an organization’s reputation for taking cybersecurity seriously, while also fulfilling its mandatory compliance requirements.

Ashish Gupta is CEO and president of Bugcrowd.

ADVERTISEMENT
Tags: CybersecurityData security
ShareTweetPin

Related Posts

FBI: Crypto-related fraud losses increased 45% in 2023

Justice Department seizes millions of dollars linked to alleged crypto investment scams

Compliance and Risk
June 20, 2025

The Department of Justice announced it has seized $225.3 million in funds linked to cryptocurrency investment scams. The action marks the largest cryptocurrency seizure in Secret Service history.

ABA urges FinCEN to reevaluate BOI collection burden on banks

FinCEN releases figures on BSA filings

Compliance and Risk
June 20, 2025

Financial institutions filed 4.7 million suspicious activity reports in fiscal year 2024. They filed 20.5 million currency transaction reports during the same time frame.

FinCEN to propose new rules on money laundering, whistleblower program

Treasury official outlines principles for Bank Secrecy Act modernization

Compliance and Risk
June 18, 2025

The Treasury Department is exploring ways to streamline the filing process for suspicious activity reports and currency transaction reports as part of a broader effort to modernize BSA enforcement, Deputy Secretary of the Treasury Michael Faulkender said.

ABA suggests splitting proposal to expand Fedwire, NSS operating hours

FATF releases revisions to international standard for payment transparency

Compliance and Risk
June 18, 2025

FAFT announced several revisions to its recommendation on payments transparency, which it said will enhance the safety and security of cross-border payments to better detect financial crime.

Senate Democrats seek proposals for regulatory changes following recent bank closures

Stablecoin bill clears Senate

Newsbytes
June 17, 2025

The Senate voted in favor of legislation to establish a regulatory framework for payment stablecoins, with proposed amendments to establish routing mandates and interest rate caps for credit cards left out of the final bill.

BAFT releases report on best practices, guidance for ISO 20022 migration

CFPB to delay small-business lending data collection compliance dates

Compliance and Risk
June 17, 2025

The CFPB will issue an interim final rule today to push back by roughly a year the compliance dates for its small-business data collection requirements, according to a filing in the Federal Register.

NEWSBYTES

ABA DataBank: Planned/announced office conversions spike

June 20, 2025

OCC releases mortgage performance report for Q1 2025

June 20, 2025

Justice Department seizes millions of dollars linked to alleged crypto investment scams

June 20, 2025

SPONSORED CONTENT

AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025
Six Payments Trends Driving the Future of Transactions

Six Payments Trends Driving the Future of Transactions

March 15, 2025

PODCASTS

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025

Podcast: Old National’s Jim Ryan on the things that really matter

June 12, 2025

Podcast: What bankers need to know about ‘First Amendment audits’

June 5, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.