Contributors
- Mohnish Dhage, Security Specialist,Stratejm Inc.
- Athul Jayaram, Security Researcher, HackerOne and Bugcrowd
- Dolev Farhi, Information Security Team Lead, Paytm Labs
- Ninad Mathpati, Application Security Engineer, ArisGlobal
- Kashish Mittal, Head of Security, Microsoft
- Jean Barkhuizen, Information Security and Compliance Lead, Applause IT Recruitment
- Sandro Nafzger, Expert for Bug Bounty Programs, sansolutions GmbH
- Florian Badertscher, Senior Security Analyst Cyber Defense and Lead Bug Bounty Program, Swisscom
- Businesses prioritize speed to market over secure coding and testing practices in the development lifecycle. As a result, vulnerabilities exist naturally in software.
- To improve overall system security, organizations are leveraging external security researchers to identify and remedy vulnerabilities, so as to mitigate the overall security risk.
- A primary challenge to developing a coordinated vulnerability disclosure (CVD) program is designing repeatable procedures and scoping the program to the organization’s technical capacity.
Our Advice
Critical Insight
- Having a coordinated vulnerability disclosure program is likely to be tomorrow’s law. With pressures from federal government agencies and recommendations from best-practice frameworks, it is likely that a CVD will be mandated in the future to encourage organizations to be equipped and prepared to respond to externally disclosed vulnerabilities.
- CVD programs such as bug bounty and vulnerability disclosure programs (VDPs) may reward differently, but they have the same underlying goals. As a result, you don't need dramatically different process documentation.
Impact and Result
- Design a coordinated vulnerability disclosure program that reflects business, customer, and regulatory obligations.
- Develop a program that aligns your resources with the scale of the coordinated vulnerability disclosure program.
- Follow Info-Tech’s vulnerability disclosure methodology by leveraging our policy, procedure, and workflow templates to get you started.
Guided Implementations
This guided implementation is a four call advisory process.
Guided Implementation #1 - Assess goals
Call #1 - Understand the coordinated vulnerability disclosure process and define the goals of the overall program.
Guided Implementation #2 - Formalize the program