Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
Here are some important points to factor into your vulnerability disclosure policy.
2 Min Read
Question: I'm setting up my company's first bug-bounty program. What should I be thinking about?
John Bock, vice president of threat research at Optiv Security: Having a basic vulnerability disclosure process ensures that people outside your organization understand how to inform you of vulnerabilities they have discovered. The lack of a readily identifiable route to the security team can result in having to deal with a disclosure under negative terms, instead of being able to properly manage it.
That's why you'll want to validate your process with a self-assessment. You can do this on your own by setting up a non-organizational email account and sending a test "Disclosure" that aligns with your product or service. The test submission should go into a security reporting alias if you have one, plus all other mechanisms for someone in the public to contact you should have policies to forward potential vulnerability disclosure messages to the security team.
As part of your vulnerability disclosure policy, you may want to include a catch-all bounty statement that indicates you give rewards for vulnerability submissions. This will give the individual who discovered the issue more reasons to tell you about it first.
It's also important to set your rewards and bounty program to meet the common standard of your industry peers. Prior to launch, you should also run every available open source vulnerability scanner and whatever commercial tools you have available. You want to make sure you won't be paying out bounties for trivial bugs. In addition, if your product generates false positives with certain tools, it will save time during triage.
Last, keep in mind that the researcher who discloses a vulnerability may not have been the first person to discover it and they have wandered around the environment more than they included in their report. If the bounty includes production environments or products with versions that were already in production, you will want to do a quick pass through the logs to check if it had been previously exploited.
About the Author(s)
You May Also Like
More Insights
Webinars
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024