U LT I M AT E G U I D E T O

Vulnerability Disclosure
INTRODUCTION

The human genome has three billion base pairs of code—99.9%

of which is identical for all humans. This means the differences
we observe in personality, appearance, and aptitude can all be
attributed to just .1% variance in how we're "coded." Software is
similar, as slight variations can drastically alter outcomes. Given the
range of skills and experience that make every developer unique,
variation is all but guaranteed.

Unfortunately, when it comes to software, variation can mean

vulnerabilities. Agile development cycles help get products to
market faster than ever, but compounding code multiples incidence
of error, to the tune of 10-20 "bugs" for every 1,000 lines. And
while behemoths like Google tout more than two billion lines of
code, even the average iPhone app has just under 50,000.

The odds of any organization finding all vulnerabilities prior to

production is slim, and continues to fall relative to an already
diminished pool of security professionals available to help. As a
result, organizations now need a way to expand risk reduction
efforts beyond the typical software development lifecycle. They
need the help of a global community.

This report explores the strategic, legal, and social nuances of

vulnerability disclosure programs (VDPs). Drawing on industry
expertise and the results of a recent Bugcrowd survey, it seeks to
uproot misconceptions, clarify definitions, and unite organizations
in a common system of best practices for encouraging, accepting,
and acknowledging vulnerabilities discovered "in the wild."

U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 3
W H AT A R E V U L N E R A B I L I T I E S ?
Vulnerabilities are components of code that can intentional commands in unintentional ways. In
be exploited to negatively impact the security of any event, vulnerabilities are now a pervasive
data, systems, people, or IP. According to ISO/ byproduct of a market that demands ever-faster
IEC 29147:2018, a vulnerability is, “a behavior access to products and services. Speed is the
or set of conditions present in a system, product, enemy of security, but it’s also the friend of
component, or service that ‘violates an implicit or purchasing power.
explicit security policy.’”
Most digitally literate internet users intuitively
In focusing on results, these descriptions grasp this trade-off in a world that has been
ignore the cause—both the ‘how,’ and ‘how eaten by software for more than a decade. This
often.’ Sometimes vulnerabilities are the result expectation is now at odds with a more dated
of erroneous scripting, but not always; they perspective held by organizations that still view
also arise from changes in the deployment vulnerabilities as a sign of weakness—something
environment, or from combining otherwise that should be avoided entirely. This is perhaps
"Embracing vulnerability disclosure creates a
security-first mentality, builds your reputation
of security leaders said their lack of a Vulnerability within the security community and educates your
6% Disclosure Program was from fear amongst executives that
the search for vulnerabilities would result in a breach.
board in the process."
CHRISTIAN TOON, PINSENT MASONS

due in part to the conflation of vulnerabilities poorly considered communication methods,

with their potential outcome—a security compounding a bad situation. The results
breach. These organizations mistakenly were clear; one month on from the breach,
believe one to be as deleterious as the other. Under Armour shares were up 9%, while
Equifax’s sank 11% in the equivalent time.
In reality, it isn’t the existence of the
vulnerability itself that is newsworthy, nor In a world where consumers now value trust
even its exploitation; it’s how the organization over reputation and reliability when choosing
responds. Compare the Equifax breach of brand allegiance, transparency must be
2017 to MyFitnessPal (Under Armour)’s a central to everything an organization
year later. Under Armour responded to its oversees, including security.
breach by alerting the users affected after
just four days spent ascertaining the extent
and implementing steps towards remediation
and prevention. Equifax announced the
breach two months after discovery, through

U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 5
 and more a perpetual journey of overlapping best The third group responsible for vulnerability
practices, and sometimes, just a bit of luck. discovery is important to note, but often difficult
to define. It includes pen testers, video game
In reality, some of the most egregious aficionados, and very often a combination of
vulnerabilities are discovered by end-users the two. Security researchers, otherwise known
themselves. In 2019, 14 year old Grant Thompson as ethical hackers, otherwise known simply as
was playing video games with his friends when hackers, are individuals of varying experience,
he discovered FaceTime could turn iPhones into interest, and demographic, skilled in finding
a listening device. While his mother tried for more security vulnerabilities missed by other testing
than a week to alert Apple to the vulnerability, she solutions. And whatever their motivation—be it
eventually resigned herself to "tweeting" about educational, reputational, or even reward-based—
it. While examples like these are rare, they are hackers are united by a fundamental desire to find
damaging not because of the vulnerability itself, the unfindable, first.
but how it is socialized.

Whatever their motivation—be it educational,

Forces like Moore’s Law causes software complexity to increase reputational, or even reward-based— hackers are united
with time, making security more challenging. "Secure coding" is
therefore less an end-state and more a perpetual journey of
by a fundamental desire to find the unfindable, first.
overlapping best practices, and sometimes, just a bit of luck.

H O W A R E V U L N E R A B I L I T I E S T Y P I C A L LY S U R F A C E D ?

Most internally developed software progresses possible use case, permutation or potential
through similar development lifecycles, which interaction in such controlled settings. Software
include several phases of testing. This could is always evolving—expanding and contracting
include automated tooling like SCA, SAST, DAST like a living organism to adapt to new operating
and vulnerability scanners, or more human- environments and an ever-growing list of
powered solutions like red-teaming and pen testing. connected tools and services. Forces like Moore’s
Law causes software complexity to increase
While vulnerabilities are ideally surfaced pre- with time, making security more challenging.
production, it’s impossible to simulate every "Secure coding" is therefore less an end-state

6 | U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E
W H AT I S A V U L N E R A B I L I T Y D I S C LO S U R E
PROGRAM (VDP)?

Vulnerability disclosure programs, or VDPs, outside of typical testing cycles. As they usually
may be best described as the Internet's cover all publicly accessible, internet-facing
“neighborhood watch”. Neighborhood watches assets, anyone with an internet connection some programs offer payments for findings with reduction with minimal disruption to existing
leverage a formal system run on voluntary can participate. Additionally, just as the simple significant impact. This may seem similar to a security and production lifecycles.
effort to report suspicious activity. While the presence of neighborhood watch signs tend to bug bounty program, but there is an important Brian Adeloye, Principal Product Security
city does much to protect inhabitants through deter nefarious activity, publicly posted VDPs distinction—bug bounty programs incentivize Engineer at Atlassian, states that, “a VDP is a
routine police patrols, and emergency response indicate that the organization is unlikely to be an submissions, while VDPs selectively reward them. reciprocation of the good faith shown by hackers
services, neighborhood watches help “fill in the easy target. who identify and share vulnerabilities of their
gaps,” for 24/7 community-lead protection. These By allowing for the communication of own volition. This provides an opportunity for
communications are incentivized by an altruistic The method for managing VDPs differs by vulnerabilities found in the routine use or testing organizations to give and get respect within the
desire to make the neighborhood safer, as well organization and is often dependent on goals of externally facing products and services, security community."
as build relationships that persist even when and resources. Some choose self-management, organizations can greatly expand their risk-
neighbors move away. while others rely on third parties like Bugcrowd to
monitor intake channels, triage findings, provide
Just like neighborhood watches, VDPs encourage remediation advice, and communicate with the
anyone that uses your corner of the Internet, to submitting party. Rewards for valid vulnerabilities
take care of it, for the benefit of all. VDPs provide
a framework to encourage and facilitate the
also differ by program and management type, and
while “kudos points,” are the standard method
Vulnerability disclosure programs may be best
secure reporting of vulnerabilities discovered for showing appreciation on hosted programs,
described as the Internet’s “neighborhood watch”

69% of organizations report receiving a critical vulnerability

through their VDP. WHO BENEFITS FROM A VDP?

Countless vulnerabilities are being written CUSTOMERS

into new and existing software every day, and As Bruce Schneier noted, vulnerabilities are
organizations need to maximize their catchment an externality that affect end users much more
area for discovering these. Yet a large majority than owners. Ethan Dodge, security engineer at
of security professionals claim that at some time Atlassian, agrees, “The primary goal of a VDP

A VDP allows companies to reduce risk, while or another, they have been unable to report a
vulnerability that they discovered. In fact, less than
is to do right by your end users. Companies
should design a program that works to serve their

publicly showcasing their commitment to 9% of Fortune 500s have a VDP in place today.
All organizations are well practiced in paying lip
customers and researchers, while simultaneously
benefiting their legal and marketing teams." This

security in a way that is both easily understood, service to “taking security seriously” whenever
they make the news, but the actual prevalence
means organizations should not only prioritize
the security of their users’ data for their sake,

and easily verified. and maturity of VDPs say otherwise. but for the reputational, and ultimately financial

U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 9
 "A mature vulnerability disclosure program
signifies a mature security culture... I have
always researched a company's VDP
when interviewing for jobs to assess the
working environment."
ETHAN DODGE, ATLASSIAN

damage the organization will incur if they fail to of remediation, recognition, respect, and
do so. A VDP allows companies to reduce risk, commitment to rapid response. For potential
while publicly showcasing their commitment to security hires, the presence of a VDP often
security in a way that is both easily understood, signifies the influence wielded by security
and easily verified. No more lip service. leadership amongst executive peers. This may be
best summarized by Dodge’s further observation,
PARTNERS, INVESTORS, AND EMPLOYEES “A mature vulnerability disclosure program
The VDP halo extends to an organization’s signifies a mature security culture, and may be
overall security brand, acting as a strong a more accurate indicator than press coverage.
indicator of security posture for external I have always researched a company's VDP
stakeholders like prospective investors, partners, when interviewing for jobs to assess the working
and other collaborators. These programs are environment.”
public evidence of an organization’s culture
SECURITY RESEARCHERS incentivized by education, rewards, and recognition.
FOR ORGANIZATIONS WITH A VDP: WHAT IS THE MAIN REASON WHY YOUR Any discussion on the impact of VDPs would be But unfortunately, ‘recognition,’ is all too often
ORGANIZATION HAS IMPLEMENTED A VULNERABILITY DISCLOSURE PROGRAM? incomplete without due attention to the finders of confused with ‘reward.’ Rewards and recognition
vulnerabilities themselves. VDPs provide emerging are both gestures of appreciation but are each
security researchers the opportunity to hone rooted in different measures of value. VDP rewards
6%
their skills, while established hackers can build may come in the form of kudos points, store
VDPs have been mandated for our industry and extend relationships with organizations that credits, or, on occasion, payments. Recognition in
17% 28%
may also offer private, invite-only engagements a VDP program goes beyond the organization’s
We believe VDPs are a security best practice like bug bounties. Both groups benefit from the acknowledgment of the researcher's contributions,
We've recently released new public-facing assets or functionality that knowledge that they are incrementally improving and instead refers to the ability for the researcher to
we want tested the organization’s security—something that 93% of have their contributions recognized by the broader
We were receiving many "rogue" vulnerability submissions and hackers cite is their primary motivation according security community. It is global recognition,
wanted a way to formalize intake and processing to the 2020 “Inside the Mind of a Hacker” report. through disclosure.
49%
Of course, that’s not all they’re motivated by. The
report goes on to show that researchers are also

1 0 | U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 1 1
W H AT I S D I S C LO S U R E ? Coordinated, discretionary, and time-boxed disclosure
Sharing security vulnerabilities with the world enables similar organizations to get ahead of threats before terms are based on good faith... they encourage rapid
they become larger problems. Communicating how and when these vulnerabilities were uncovered
can drastically reduce the frequency of their creation, while improving the ability of security researchers remediation while demonstrating commitment to, and
to more readily spot related issues. According to recent Bugcrowd research, organizations that adopt
disclosure terms see 30% more vulnerabilities than organizations that don’t. appreciation of, the hacker community.

“Disclosure” has several meanings, referring both to the communication of a vulnerability to the
organization within which it was discovered, and to external parties, usually in a public forum. While
the first definition benefits the organization, and by extension, its direct customers, partners, and other
stakeholders, the second, when done right, benefits the entire digitally connected world.

However, the term “disclosure” does carry an unfortunate and misplaced stigma, which is holding back
security standards globally. A quick exploration of the varying types can help to clarify terms and alleviate
unfounded concerns.

THE SPECTRUM OF DISCLOSURE

Programs on the Bugcrowd platform that adopt disclosure terms see NON-DISCLOSURE vehicles, and other IoT devices that are difficult to
When programs are marked as “non-disclosure,” quickly recall or update remotely.
30% more vulnerabilities on average, versus organizations without. it is understood that the finder is not permitted to
communicate any portion of a vulnerability beyond TIME-BOXED DISCLOSURE
the confines of the organization itself, even after it More mature organizations set a “timer” on
has been resolved. For non-disclosure programs, disclosure for every vulnerability, essentially
no vulnerability, regardless of type or severity, declaring their commitment to fixing fast. This
can be shared. While these programs still receive approach is often taken by organizations who
submissions, they do not encourage them. deem security to be a strategic priority and need
to invest in building the best possible relationship
COORDINATED, OR DISCRETIONARY with the security community.
DISCLOSURE
When organizations opt to enable coordinated Coordinated, discretionary, and time-boxed
disclosure, they signal openness to consider disclosure terms are based on good faith, and are
public disclosure of remediated vulnerabilities, in considered best practice for all parties involved
full or in redacted form, on a case-by-case basis. as they encourage rapid remediation while
Removing a vulnerability from consideration for demonstrating commitment to, and appreciation
coordinated disclosure is sometimes necessary of, the hacker community. 77% of organizations
when disclosing it creates significant risk to with a VDP in place enable one of these
customers, as is the case with pacemakers, methods of public disclosure.

U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 1 3
 O B S TAC L E S TO D I S C LO S U R E
Coordinated disclosure policies help reduce Christian Toon, CISO at law firm Pinsent
risk to industry peers, while strengthening the Masons, notes that self preservation and fear
relationship with the researcher community. of reputational damage can harm the outlook
Security researchers’ reputations are their brands, of certain owners when it comes to disclosure,
and receiving acknowledgment for identifying “Many organizations see disclosure of a
an exceptionally complex vulnerability enhances vulnerability to be an admission of failure that
the finder’s reputation and increases their harms their reputation, but this is a short-term
market value. Organizations that clearly state outlook” he states. “Embracing vulnerability
their willingness to collaborate on disclosing disclosure creates a security-first mentality, builds
vulnerabilities in advance can expect better your reputation within the security community and
relationships with the security community, and educates your board in the process. Why would
often greater program activity. Of course, it’s not you not want the help of security researchers to
quite that simple for many organizations. strengthen your business?”

FULL DISCLOSURE
Unlike the other approaches, full disclosure is However, both parties often prefer to avoid this
not a program policy. It is an individual instance type of disclosure at all costs. Both non-disclosure
of public communication wherein the finder and full disclosure are discouraged because of
discloses a vulnerability before it has been fixed. the asymmetric cost to only one party. Disclosure
Bruce Schneier defended the merits of full
disclosure in 2007, suggesting that the threat of
should be undertaken in a way that protects the
owner, rewards the finder, incentivizes further
Organizations that clearly state their willingness
this act is sometimes necessary to force owners
to fix vulnerabilities when they are unresponsive
research, and enhances relationships between
owners and the security community.
to collaborate on disclosing vulnerabilities in
to hackers’ well-intended communications. advance can expect better relationships with
FOR ORGANIZATIONS WITH A VDP: DOES YOUR ORGANIZATION ALLOW COORDINATED OR
the security community, and often greater
DISCRETIONARY DISCLOSURE, WHEREIN THE FINDER OF A VULNERABILITY IS PERMITTED TO
PUBLICLY DISCLOSE DETAILS OF THE FINDING AFTER IT HAS BEEN REMEDIATED?
program activity.

Yes, we allow virtually all vulnerabilities to be publicly disclosed once we have remediated

Yes, we allow some vulnerabilities to be publicly disclosed either fully, or with certain
details redacted, once we have remediated

No, we never allow vulnerabilities to be publicly disclosed

1 4 | U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E
 researchers. While the DMCA was amended in considerably increases the number and quality of
2016 to allow security researchers to work on vulnerabilities submitted.
owned consumer devices in good faith, there are
still legal gaps that need to be resolved before One starting point to consider is Disclose.io, an
organizations can fully benefit from VDPs. open source standardization project that offers a
boilerplate VDP framework instilling safe harbor
Organizations must draft terms to allow and and enabling good faith security research. This
incentivize good faith testing and submission provides an accessible legal agreement for the
of vulnerabilities, in a way that acknowledges research and disclosure of vulnerabilities, and uses
the concerns of legal teams by ruling out standardized terms and policies to create a more
backdoor entry points or loopholes for malicious welcoming space for hackers and researchers,
actors. These agreements create a “safe many of whom do not speak English as a first
harbor” for well-intentioned researchers, which language and have minimal legal knowledge.

Hacking involves testing, stressing, and sometimes even breaking

software to rebuild and improve it.

L E G A L C O N S I D E R AT I O N S

Aligning the interests, incentives, and

expectations for both hackers and VDP
This renders good faith testing of assets illegal
where robust VDPs are not in place, and while the
60% of hackers do not submit vulnerabilities due
owners primarily involves frequent and clear
communications, but there is also a need to
number of hackers convicted for related offenses
is low, it has a chilling effect on the community;
to fear of legal retribution.
provide unambiguous legal clarity and assurance. 60% of hackers do not submit vulnerabilities due
Hacking involves testing, stressing, and to fear of legal retribution.
sometimes even breaking software to rebuild
and improve it. This creates problems in a legal The Digital Millennium Copyright Act (DMCA)
system that presumes malice to be the motive makes it illegal to circumvent controls that prevent
for any party who handles software outside its access to copyrighted material, defined to include
intended functionality. As a result, the default legal software. This applies even to legal owners of the
H O W TO S TA R T A V D P
status for vulnerability discovery and disclosure products in question.
unfortunately excludes good faith research.
These laws were passed during a time when Having a VDP is quickly becoming industry standard, and is no longer optional for some. The
The Computer Fraud and Abuse Act (CFAA) hacking was mostly done maliciously, before the Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive requiring all federal
prohibits accessing a computer without advent of bug bounties, good faith hacking and agencies to publish a VDP, and 28% of respondents in a recent Bugcrowd survey say that VDPs have
authorization, or exceeding authorized access. a thriving community of professional security been mandated for their organization. However, starting and managing one effectively can seem
overwhelming. There are five key steps that every organization can follow to build a strong program:

1 6 | U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 1 7
 68% of security teams have, or would consider awarding
1 | DECIDE ON SELF-MANAGED OR HOSTED

Organizations like Bugcrowd offer managed with the option to have the program listed on
monetary payments for exceptional VDP submissions.
vulnerability disclosure programs to help alleviate Bugcrowd’s researcher homepage, also brings
the time and effort required to construct and run an your program to the attention of registered
effective disclosure program. Bugcrowd provides hackers and researchers for increased likelihood
access to a cloud-hosted secure submission of additional activity and submission volumes.
framework that enables individuals to submit
security feedback from anywhere in the world. Companies with few internet-facing assets, limited
resources, or still-maturing processes may instead
The fully managed process includes design and choose self-management. Though, it’s possible
management of email and embedded submission incoming submissions may outpace the ability of
forms, as well as validation, prioritization, and a thinly resourced team to respond in time, which
remediation advice for each vulnerability. can lead to tension between researcher and
Integration with the organization’s software organization if communications are not prioritized.
development tools encourages a faster fix, while This evolution tends to expedite the transition
Bugcrowd handles researcher communication, to a managed model, as evidence of urgency
points-based remuneration, and support. becomes easier to demonstrate to superiors.
Leveraging Bugcrowd for program management

Bugcrowd’s Managed VDP Process

2 | C O D I F Y E X P E C TAT I O N S

Anyone can submit Any asset that is Submissions triaged

Organizations initiating a VDP should adhere to
principles that make the program scalable and
According to a recent
security feedback Internet-connected and results shared robust. This should include broad indications Bugcrowd survey, 65% of
regarding acceptable conduct, as well as
techniques that could be considered out of security teams reward findings
scope—DDoS or social engineering, for example.
Organizations with limited resources should also with points, swag, or store
restrict the assets covered by the program during
a ramp period, to ensure they have the resources
credit, though 68% have or
Organizations must adopt a model of fluidity, and workflows to properly handle submissions. would consider awarding
transparency, collaboration, and action to Determining how you plan to reward and recognize monetary payments for
contributions to your program can also ensure a
maintain the trust of customers, partners, and healthy relationship with the researcher community. exceptional findings.
the security community at large.
U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 1 9
 BEST PRACTICE FOR MANAGING A VDP

Those willing to implement best practice in vulnerability disclosure can both set a standard amongst
peers while differentiating themselves against their competitors. Here are some steps that can make
VDPs work best for organizations, partners and the security community.

3 | E X P E C T TO I T E R AT E
It's important to build in time to review processes, gather data, and revisit workflows. A phased A L IG N E X P E CTATI O NS — Researchers should feel legally protected and know exactly how
timeline can allow room for making adjustments, and revising scope on the fly. As VDPs are not tightly to report a bug and what to expect throughout the process. Don’t be afraid to over-communicate.
scoped, they act as a great barometer for areas in your attack surface that may need more attention.
One interviewee stated that traffic to one site went up over 500% when their VDP was implemented. P R OV ID E CL E A R L E GA L G U I DA NCE — Use standardized terms and clear examples to
Unexpected influxes like this can help focus attention and reallocate resources. encourage good faith interaction, and authorize conduct under CFAA by providing explicit consent
to access systems.
No organization will start with their ideal, preferred disclosure policy, and most efficient communication
G R O U ND INTE R ACTIO NS I N G O O D FA ITH — Allow for the accidental overreach of
process, so the best approach is to build iteratively. Toon says, “I advise those starting out with VDPs to be
scope by hackers done in good faith. Ensure your policy prioritizes relationships and industry
prepared to fail fast and fix fast. Play around with parameters and approaches and gather plenty of data
norms over strict interpretations of the guidelines.
to inform yourself. As long as you don’t annoy or offend the security community or your board it will all be
valuable. Also, check your scope. Once you’ve checked it, get it validated. Scope accuracy is vital.”
R E M E D I ATE E F F I CI E NTLY — Prioritize your end users and the vulnerability finder by
getting to work resolving the bug and validating the fix quickly.

As VDPs are not tightly scoped, they act as a great STA RT A D IA LO G U E — VDPs are a two-way street and there are long term benefits
to working on your end of the relationship with hackers through clear communication and
barometer for areas in your attack surface that may need appropriate incentives.
more attention. TR O U BL E SHO OT THE P R O CE SS — Remove single points of failure in communications
channels, seek feedback from researchers and commit to flexibility in your VDP philosophy
and operations.
4 | BE ACCESSIBLE TA K E A N I NTE G R ATE D A P P R OACH — VDPs are just one in a number of overlapping
tools and procedures that make up your security posture. Ensure all processes and products are
It is also important to give clear guidance around communications, within dedicated channels. This could
configured to move in the same direction.
be a [email protected] email address to begin with, but it is crucial to avoid single points
of failure. Multiple channels, safeguards, and responsible parties can prevent an unchecked inbox or K NOW YO U R L IM I TS — Depending on your current security posture, VDPs can be
overactive spam filter from creating blind spots and associated risk. overwhelming. Work with your team and/or VDP provider to configure a manageable solution.

5 | FACTOR IN RESPECT
Perhaps most importantly, a VDP should define clear disclosure standards based on good faith. These
standards should ensure incentive alignment, so both parties benefit from every interaction. Researchers
should provide as much detail of the vulnerability as possible, while abiding by the agreed upon method
of disclosure. Program owners should reply to submissions promptly, and ensure appropriate recognition
is offered for valid findings.

2 0 | U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E
COMBINING VDPS WITH BUG BOUNTY
OR PEN TESTING

Bug bounties allow organizations to direct programs qualify for financial rewards, so most
targeted, rigorous testing at business-critical organizations limit scope for budgetary reasons,
assets. Similarly, pen test programs enable and may also impose limited testing windows.
organizations to focus on compliance-related While economical, this creates gaps in coverage,
assets, or those where a structured methodology and wrongfully assumes that all potential
would improve how security posture is vulnerabilities can and will be surfaced through
communicated to partners, investors, and an exclusive (often private) crowd of researchers.
customers. Vulnerabilities found through these

82%
The market has failed in creating a standard linear VDP programs provide a much needed
of organizations have, or would consider adding a pay- maturity model for when and how to “progress” catchment for vulnerabilities surfaced by anyone,
per-finding bug bounty program alongside their VDP. between a VDP, Bug Bounty, and/or Pen Test. This anywhere. But they may require the force of each
is because each should be viewed as providing organization demanding a cultural shift, in order
complementary benefits, with adoption driven by to ensure an organization's leadership, and legal
individual goals and resources rather than maturity. team are aligned. As Toon at Pinsent Masons
Atlassian’s Adeloye considers a VDP to be the first notes, “Pentesting has been recognized and
building block in external testing—“a superset that accepted by the audit community, which makes
can include a bug bounty program,” though it’s it useful for assets where compliance is the goal.
equally common for VDPs to be the final addition VDPs still have a long way to go for cultural
to a comprehensive crowdsourced approach. acceptance in business. Good security and
An agreed upon sequence might make for tidier compliance don’t always sit alongside each other."
budgeting, but it also goes against the organic,
adaptive and sometimes unruly nature of security.
Every organization is different.

WHAT DO YOU BELIEVE IS THE MAIN POINT OF VALUE FOR YOUR VULNERABILITY
DISCLOSURE PROGRAM?

Security value: Receiving critical submissions (i.e. without

submissions, it wouldn't be valuable)
Reputation value: Showing auditors, customers, and other
stakeholders our framework for accepting submissions (i.e.
even without submissions, it would still be valuable)
Resource value: Alleviating the burden previously carried by
our team for triaging and routing all vulnerabilities
Relationship value: Building relationships with pen testers
and researchers that we may invite to future paid bug bounty
or pen test programs

U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E | 2 3
 EXPERT ADVICE

"Many organizations see disclosure of a vulnerability to be an

admission of failure that harms their reputation, but this is a short-term
outlook. Embracing vulnerability disclosure creates a security-first
mentality, builds your reputation within the security community and
educates your board in the process. Why would you not want the help
of security researchers to strengthen your business?"

"I advise those starting out with VDPs to be prepared to fail fast and fix
fast. Play around with parameters and approaches and gather plenty
of data to inform yourself. As long as you don’t annoy or offend the
security community or your board it will all be valuable. Also, check
your scope. Once you’ve checked it, get it validated. Scope accuracy
is vital."

"Pentesting has been recognized and accepted by the audit

community, which makes it useful for assets where compliance is
CONCLUSION the goal; VDPs still have a long way to go for cultural acceptance in
business. Good security and compliance don’t always sit alongside
The digital world is expanding, at a rate that far outpaces any one organization’s ability to keep up.
each other."
Vulnerabilities will emerge. Software deployed across millions of devices will be recycled and reused,
multiplying attack surface and risk. To prosper in this environment, organizations must adopt a model
of fluidity, transparency, collaboration, and action to maintain the trust of customers, partners, and the CHRISTIAN TOON, CISO AT LAW FIRM PINSENT MASONS

security community at large.

Vulnerability Disclosure Programs provide a means to align varied business and security goals in a way
that is efficient, and economical, so that every organization can thrive in the digital era.

2 4 | U LT I M AT E G U I D E TO V U L N E R A B I L I T Y D I S C LO S U R E
EXPERT ADVICE

"A VDP is a reciprocation of the good faith shown by hackers who

identify and share vulnerabilities of their own volition. This provides
an opportunity for organizations to give and get respect within the
security community. Owners should measure the effectiveness of
their VDPs by asking ‘how easy does this make it for the good guys
to do the right thing?'"

"A VDP is a superset that can include a bug bounty program."

BRIAN ADELOYE, PRINCIPAL PRODUCT SECURITY ENGINEER AT ENTERPRISE SOFTWARE COMPANY ATLASSIAN

"The primary goal of a VDP is to do right by your end users.

Companies should design a program that works to serve their
customers and researchers, while simultaneously benefiting their
legal and marketing teams."

"Mature vulnerability disclosure signifies a mature security culture, and

may be a more accurate indicator than press coverage. I have always
researched a company's VDP when interviewing for jobs to assess
the working environment."

"If the Department of Defense can have a VDP, anyone can."

ETHAN DODGE, SECURITY ENGINEER AT ENTERPRISE SOFTWARE COMPANY ATLASSIAN