Contributed by: Rena Chua, Bug Bounty Advisor for HackerOne
As a Chief Information Security Officer (CISO), you are responsible for your organisation’s information and data security. Your job is to reduce the risk of a security incident, protect your brand and assets, and ensure the security of your customers and their valuable data. You know as well as I that keeping those assets secure is a non-stop endeavour, and equipping your organisation with the extensive toolkit necessary can be prohibitively expensive. You often say that it’s impossible to scale security with internal resources alone.
When a security vulnerability is found, it needs to get into the right hands quickly so it can be safely resolved. The last several years have seen the most destructive data breaches of our time. But they could have been much worse. To date, nearly 200,000 security vulnerabilities were eliminated with the help of friendly hackers.
When a hacker discovers a vulnerability, they’ll likely look for ways to disclose it to your security team. But if an obvious reporting channel is unavailable, hackers are faced with an undesirable choice: doing nothing, or disclosing the vulnerability publicly. In fact, according to HackerOne’s Hacker 2020 report, 21% of hackers surveyed said that they found a vulnerability but opted not to disclose it because the company did not have a clear channel to receive the hacker’s report. That means almost 1 in 4 companies faces potentially critical vulnerabilities that remain unreported, unknown, and unresolved.
The Challenges Hackers Face when Reporting Vulnerabilities
A vulnerability disclosure policy (VDP), commonly referred to as the “see something, say something” of the internet, is intended to give anyone who stumbles across something amiss clear guidelines for reporting it to the proper person or team responsible.
Think of this real-life analogy: You walk past a neighbour’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler for them, or maybe even call them. However, for organisations or technology or websites, it’s not that simple.
Attempts to report security vulnerabilities often carry considerable legal risk for the hacker, so many hackers simply withhold vulnerable information or publish anonymously. When businesses do not empower hackers to disclose a vulnerability, the vulnerability puts the business and the public at risk. When hackers must report anonymously, it makes it difficult for companies to obtain key information they might need to fix the vulnerability, and hackers do not get appreciation or confirmation of the fix in return. In both cases, it’s impossible to achieve an optimal outcome that ensures security vulnerabilities are safely resolved, and it causes the internet to be less safe than it could be.
The beauty and value of VDP
A VDP is one of the formalised ways in which organisations can receive vulnerability submissions with set guidelines from the outside world. VDPs are intended to remedy that situation by giving finders (e.g., security researchers, ethical hackers, white-hat hackers, bug hunters) clear directions on how to report a potential security vulnerability to your organisation. It also gives internal security teams an easy means to receive, evaluate, and communicate such findings. VDPs also help eliminate the potential business impact should someone not know how to report a vulnerability and it winds up on social media.
VDPs are becoming an established best practice and even a regulatory expectation. Guidance on vulnerability disclosure has been published by numerous organisations, including the United States Department of Justice, National Institute of Standards and Technology (NIST), and The International Organisation for Standardisation (ISO/IEC 29147:2014). Governments are also taking the lead in establishing VDPs — The U.S. Department of Defense has had hackers discover over 18,000 valid vulnerabilities exclusively through HackerOne’s VDP in three short years. The Singapore government also launched a formal VDP with HackerOne in 2019, demonstrating an ongoing commitment to collaborate with the cybersecurity community to build a secure and resilient Smart Nation.
The beauty of a VDP is that it is simple, cost efficient, and quick to establish. If it is done correctly, the policy can serve basis for a complete vulnerability disclosure program, which defines how organisations handle incoming alerts (legally and technically), how they communicate with finders, how their internal teams validate, mitigate, and externally disclose a security vulnerability, and how activities and results are summarised and reported to stakeholders and decision-makers. VDPs should contain enough detail to help both you and the researchers improve your security. Our guidance is that a VDP should at minimum include the following 5 critical elements:
- Promise: Convey the mission behind the policy and explain your commitment to security, customers, and others. Include statements on why this policy was created, why it is important to have a public policy, what it is expected to accomplish.
- Scope: Specify what is fair game, and where attention is requested or not allowed. Also state which types of vulnerabilities should be reported and which are excluded. Limitations may also be put on products or versions, or to protect data or intellectual property.
- Safe Harbour: Write a good faith commitment that reporters will not be penalised. Essentially say, “we will not take legal action if…”; this gives needed reassurance to those disclosing a vulnerability, so make the language inviting, non-threatening, and clear.
- Process: Detail how finders should submit reports and what information you would like to see. This is where you can set expectations for subsequent communications. Requesting emailed reports can lead to incomplete and unstructured information, while a secure web form like HackerOne’s Response product can ensure completeness.
- Preferences: Set non-binding expectations for how reports will be evaluated. This section can include the duration between submission and response, confirmation of vulnerability, follow-on communications, expectation of recognition, and if or when finders have permission to publicly disclose their findings.
Once the policy is finalised and you are ready to accept submissions, it is time to publish the policy on an accessible, easy to-find website. In the past, most organisations published their vulnerability disclosure policy on their own website. Some organisations also included an email address specifically for submitting security issues. Many of these programs can be found in the HackerOne Directory, a community-curated resource for contacting security teams.
The reality is vulnerabilities are found every day by security researchers, friendly hackers, customers, academics, journalists, and tech hobbyists. Because no system is entirely free of security issues, it’s important to provide a clear channel for external parties to report vulnerabilities. Having a VDP in place reduces the risk of a security incident or uncoordinated disclosure and places the organisation in control of what would otherwise be a chaotic workflow. You can make your job easier, keep your organisation’s assets secure, and scale your security with the power of the hacker community. To date, hackers on the HackerOne platform have helped find and fix nearly 200,000 vulnerabilities for over 2,000 customer programs.