Benefit from the knowledge of security researchers by providing them transparent rules for submitting vulnerabilities to your team with a responsible disclosure policy.
Your team has been implementing development best practices and have yet to face a security breach, but in the off event a security researcher discovers a vulnerability, it’s important to clarify a process that allows them to safely report the issue to your team. This is referred to as a responsible disclosure policy.
To help the web adopt responsible disclosure, we've developed an open source responsible disclosure policy your team can utilize for free.
What happens when a site is hacked?
Occasionally a security researcher may discover a flaw in your app. This leaves the researcher responsible for reporting the vulnerability. An ethical hacker will privately report the breach to your team and allow your team a reasonable timeframe to fix the issue, but in the case they do not, they may publicize the exploit to alert the public. Disclosing a vulnerability to the public is known as full disclosure, and there are different reasons why a security researcher may go about this path.
A security researcher may disclose a vulnerability if:
- They are unable to get in contact with the company.
- Their vulnerability report was ignored (no reply or unhelpful response).
- Their vulnerability report was not fixed.
- They felt notifying the public would prompt a fix.
- They are afraid of legal prosecution.
While not a common occurrence, full disclosure can put pressure on your development team and PR department, especially if the hacker hasn’t first informed your company. These scenarios can lead to negative press and a scramble to fix the vulnerability.
Is full disclosure morally sound?
Some security experts believe full disclosure is a proactive security measure. Their argument is that the public scrutiny it generates is the most reliable way to help build security awareness. Others believe it is a careless technique that exposes the flaw to other potential hackers. Regardless of which way you stand, getting hacked is a situation that is worth protecting against.
How do we protect our site?
A responsible disclosure policy is the initial first step in helping protect your company from an attack or premature vulnerability release to the public. The best part is they aren't hard to setup and provide your team peace of mind when a researcher discovers a vulnerability.
Getting started with responsible disclosure simply requires a security page that states -
- What parts or sections of a site are within testing scope.
- The types of bugs and vulns that are valid for submission.
- A dedicated security email address to report the issue (email@example.com).
Best practices include stating response times a researcher should expect from the company’s security team, as well as the length of time for the bug to be fixed. You can view an example of Bugcrowd’s Standard Disclosure Policy, which is utilized by its customers.
Implementing a responsible disclosure policy will lead to a higher level of security awareness for your team. Bringing the conversation of “what if” to your team will raise security awareness and help minimize the occurrence of an attack.
At Bugcrowd, we've run over 495 disclosure and bug bounty programs to provide security peace of mind. Whether you have an existing disclosure program or are considering setting up your own, Bugcrowd provides a responsible disclosure platform that can help streamline submissions and manage your program for you.