Understanding Vulnerability Disclosure Programs and Public and Private Bug Bounties
Bug bounties and Vulnerability Disclosure Programs (VDPs) are used by thousands of businesses across the globe, yet many people still do not know when to utilize them or how they differ. Even for those who understand the two concepts fundamentally, the distinction between public and private program listings adds complication.
This article will make things obvious. We'll start out by providing a brief definition of both a bug bounty program and a VDP. Then, we'll look at use cases for each program type's public and private versions.
How Do Vulnerability Disclosure Programs Differ From Bug Bounty Programs?
Let's begin with the parallels. VDPs and bug bounties both seek to gather vulnerability reports from outside sources. These third parties may include clients, partners, security researchers, ethical hackers, and concerned citizens. Rules of engagement, a scope, a method of submitting vulnerabilities (commonly a web form), and a procedure for reviewing submissions and getting in touch with submitters are typical components of both types of programs (also known as finders or hackers in the case of bug bounties). The vulnerability report should ideally be routed through an internal procedure to the appropriate security or development team.
Organizations lack a formal method of accepting reports of known vulnerabilities without either sort of application. When they are unable to submit a report or receive no response from an email address "contact us," finders are easily disheartened. Both systems also give organizations the option to declare (as long as the program's rules are obeyed) that they won't sue finders. Many nations have broad definitions of what constitutes "illegal hacking," which makes it risky even to disclose an unintentionally discovered vulnerability.
The incentive scheme is the primary distinction between bug bounties and VDPs. As implied by the name, bug bounties reward legitimate submissions with money or a bounty. People who disclose their vulnerabilities are rewarded. On the other side, VDPs often express gratitude and acknowledgment. The finders have been identified. It's comparable to paid work versus a volunteer endeavor. We view t-shirts and water bottles as a method to reward finders rather than an incentive, however, some VDPs do offer stuff.
How Do You Choose Whether to Run a Vulnerability Disclosure Program, a Bug Bounty Program, or Both?
Both bug bounties and VDPs are options for organizations to begin with. Organizations that start with a VDP typically want to start small and want to offer a way for third parties to submit reports. The federal government of the United States declared in 2020 that it will mandate federal agencies "create and publish a vulnerability disclosure strategy" (a program is the initiation of such a policy). Eventually, other government proposals will demand that vendors have a VDP. As a result, several organizations set up a VDP to abide by legal requirements. 2020 saw the implementation of the U.K. Consumer Internet of Things (IoT) Security Code of Practice: "All companies that provide internet-connected products and services shall establish a public point-contact as part of a vulnerability disclosure policy so that security researchers and other people can contact them with questions or concerns. can report issues," states their policy. Vulnerabilities that have been disclosed need to be addressed quickly.
Bug bounty programs often lead to the development of more developed organizations. They intend to provide incentives for hackers to actively search for vulnerabilities in their cloud infrastructure, e-commerce platforms, and applications. These firms establish the parameters of their bounty programs to concentrate on the assets and applications that are most important to them, and they set up their bounty payouts so that they; typically; pay more for vulnerabilities with greater severity.
Companies that run both a VDP and a bug bounty program are likely to have distinct program scopes for each. For instance, all web domains might fall under the purview of a VDP, but only specific applications would be eligible for the bug bounty. In other words, VDPs offer comprehensive coverage, and bug rewards promote focused testing.
What Do Private and Public Programs Entail?
Whom an organization chooses to invite to its programs is up to it. If anyone is able to submit reports, the program is open to the public. The program is private if only a few people are invited. Usually, public programs are listed both directly on an organization's website and in directories. The public and private programs are compared in Table 1 below.
Why Is a Program Made Private? What Good Is a Private VDP, Anyway?
Organizations frequently start with a private program to make sure their internal resources can handle the volume of submissions. A private scheme shields companies from disclosing their vulnerabilities to an unidentified and broad variety of finders if they haven't engaged with hackers or other third-party reporters. To safeguard the privacy of reports and assets, start with a small group of trusted hackers. Security teams can receive, prioritise, and address reports while keeping an eye out for potential confidentiality problems, process modifications, and scope adjustments. Opening a program to the public once an organization is at ease usually results in more submissions for better coverage.
Private programs may be a suitable long-term solution in other circumstances. One important factor is asset scope. Private programs are better suited for sensitive assets requiring stringent access controls and novel assets that must be tested before being released to the public. Additionally, businesses can be searching for a particular skill set and only accept submissions from hackers that possess it.
The use case for a public VDP is clear because the main objective of VDPs is to enable anyone to submit a vulnerability in any asset. What about personal VDPs, though? Does this contradict their mission statement? Not for businesses who simply want to learn about vulnerabilities from suppliers or clients. Private programs are appropriate here.
Regarding your company's decision to implement a bug bounty, a VDP, or both, as well as whether to make their program(s) public or private, there is no correct response. The organization's objectives, knowledge of its attack surface, unprotected assets, and other hazards that make up its attack resistance gap will all influence the answer. Both HackerOne Bounty and HackerOne Response are components of HackerOne's Attack Resistance Management Platform, which can assist find important and undiscovered vulnerabilities and bridge the gap. For more information on how HackerOne can assist, get in touch with us.
Thanks & Regards
Nikhil Kanojia
Blogger-Digital Marketer
0 Comments
thanks for your supports