A vulnerability disclosure policy sets the rules of engagement for an ethical hacker or security researcher to identify and submit information on security vulnerabilities or vulnerability information. Vulnerability disclosure policies establish the communications framework for the report of discovered security weaknesses and vulnerabilities. This enables all parties to exchange data in a formal and consistent way and confirm receipt of the communications.

Ethical hackers or security researchers can help organizations improve the security of their networks, systems, and applications. In order to do this, ethical hackers are retained on contracts for outsourced traditional penetration testing, or, the new and more rapidly growing model for crowdsourced security penetration testing. In many instances ethical hackers will identify discovered vulnerabilities based upon goodwill and without the expectation of remuneration for their services.

A vulnerability is a “weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.” Vulnerabilities often involve personally identifiable information or financial information set in a company’s database.  

In order to be successful ethical hackers must take the perspective of malicious threat actors. Ethical hackers step into the shoes of threat actors and view an organization’s defenses from the perspective and mindset of a potential attacker. Ethical hackers must take active measures to probe cyberdefenses for vulnerabilities which would allow them to position a successful cyber attack. The success of ethical hackers in identifying vulnerabilities reduces or eliminates the potential opportunity for the next real malicious threat actor.

Interaction with ethical hackers must be subject to important ground rules agreed upon between the ethical hacker and the organization. The most important ground rules for engagement pertains will be established in a vulnerability disclosure policy.

What are the key components of a vulnerability disclosure policy?

Commitment

The introductory section  provides background information on the organization and its commitment to security and more. This section explains why the policy was created and the goals of the policy. It is a statement of good will and encouragement – reporting vulnerabilities is of potentially high value. A vulnerability report can reduce risk and potentially eliminate the expense and damage to reputation caused by a successful cyberattack. Keep in mind that creating and publishing a VDP is a binding operational directive as outlined by the Cybersecurity & Infrastructure Security Agency (CISA).

Safe harbor

This section explicitly declares the organization’s commitment not to take legal action for security research activities that follow a “a good faith” effort to follow the policy. The authorization and safe harbor clearly states that good faith efforts will not result in the initiation of legal action. The language recommended by CISA for government agency vulnerability disclosure policy authorization and safe harbor is: 

“If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the security issue quickly, and AGENCY NAME will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.”

Important guidelines

Guidelines further set the boundaries of the rules of engagement for ethical hackers and potential sensitive information found. Guidelines may include an explicit request to provide notification as soon as possible after the discovery of a potential security vulnerability. It is common that exploits should only be used to confirm a vulnerability. Many vulnerability disclosure policies request that discovered exploits or vulnerability discovery activities not be used  to further compromise data, establish persistence in other areas, or move to other systems.

Scope

Scope provides a very explicit view of the properties and internet connected systems which are covered by the policy, the products to which it may apply, and the potential vulnerability types that are applicable. Scope should also include any testing methodologies which are not authorized. For example, it is most typical that VDPs don’t allow Denial of service (DoS or DDoS) attacks or attacks of a more physical nature such as attempting to access the facility. It is often the case that social engineering, perhaps through phishing, is also not authorized. Situations vary and it is important to spell out exactly what is permissible and what is not.

Process

Process includes the mechanisms used by ethical hackers to correctly report vulnerabilities. This section includes instructions on where the reports should be sent with proprietary information. It also includes the information that the organization requires to find and analyze the vulnerability. This may include the location of the vulnerability, the potential impact and other technical information required to identify and reproduce the vulnerability. It also should include information about the timeframe for the acknowledgement of receipt for the report.

Best practice is to allow ethical hackers the option of submitting vulnerability reports anonymously without disclosing contact information. In this case the vulnerability disclosure policy would not require the submission of identifying information. 

Examples of vulnerability disclosure policies

The United States Department of Homeland Security has published a vulnerability disclosure policy template: https://cyber.dhs.gov/bod/20-01/vdp-template/. The template spells out sections in a policy template for introduction, authorization, guidelines, test methods, scope, reporting a vulnerability, and the expectations and deliverables from both parties. 

Other examples of active vulnerability disclosure policies from both government and commercial enterprise referenced as examples are included on their official websites:

U.S. Department of the Interior  

U.S. Department of the Treasury

U.S. Department of Health and Human Services

U.S. Department of Education

U.S. Department of Transportation

U.S. Department of Justice

Bank of England

Deutsche Bank

Saxo Bank

Starling Bank

Trade-offs in disclosure policy definition

Responsible disclosure allows for the disclosure of a vulnerability only in a timeframe subsequent to the elimination of the vulnerability. Developers and vendors may need a considerable amount of time to patch the vulnerability. By limiting the information flow it can be argued that risk will be lower since less threat actors may be aware of the vulnerability. However all it takes is one motivated threat actor to discover the vulnerability on their own. In this scenario responsible disclosure may give knowledgeable threat actors more time to exploit the weaknesses and complete a successful breach. Vulnerability disclosure policies generally specify the need for responsible disclosure. Responsible disclosure is by far preferred by the impacted organizations.

Full disclosure is the other side of the spectrum. If an ethical hacker has done everything possible to alert an organization of a vulnerability, and has been unsuccessful, then full public disclosure could emerge as an option of last resort.  Publicly disclosing vulnerabilities pivots the playing field towards an assumption that there is always a threat actor that is aware of any vulnerability. Therefore the newly discovered vulnerability presents significant risk, and must be disclosed as early as possible. In this scenario the disclosure puts pressure on the affected parties to move rapidly to take necessary precautions. On balance, the use of full disclosure trades the risk of exploitation and wider investment in the reported vulnerability for wider vulnerability research support and advanced preparation by cyber defenders. Decisions for full disclosure are usually made by the ethical hacker, but are not encouraged by the organization impacted. 

Framework standards

ISO provides a guideline which shares excellent guidance on the disclosure of vulnerabilities in products and services. Vulnerability disclosure helps prioritize risk, better defend systems and data and supports the prioritization of cybersecurity investments. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. For more information please refer to https://www.iso.org/standard/72311.html

ISO also provides guideline https://www.iso.org/standard/69725.html which shares requirements and recommendations for how to process and remediate potential vulnerabilities. 

Vulnerability disclosure programs and policies bring compelling value

Bugcrowd connects companies and their applications to a Crowd of highly specialized network of security researchers. The Crowd can identify critical vulnerabilities faster than traditional methods. Powered by Bugcrowd crowdsourced security platform, organizations of all sizes can run security programs to efficiently test their applications and remediate vulnerabilities before they are exploited.

Now that we’ve covered vulnerability disclosure policy, dive deeper into vulnerability disclosure programs in The Ultimate Guide to Vulnerability Disclosure. If you’re interested in setting up your own program, get started today.