Vulnerability disclosure is the process by which hackers, security researchers, programmers, or other individuals report security weaknesses and flaws in a computer system to an organization. When ethical hackers discover a vulnerability in a product or system, they often attempt to disclose it to organizations and help in the remediation process before disclosing it publicly.
A vulnerability disclosure policy (VDP) is a document that details how external security personnel can report discovered system vulnerabilities to an organization and how the organization handles them before they are exploited by malicious hackers.
Vulnerability disclosure policies are essential to any company that wants to stay safe from malicious hacks and other security breaches. It allows hackers with good intentions to help you strengthen your system by explaining how they can search for vulnerabilities and when and how to disclose them.
In this article, we’ll look at a crucial aspect of a good, responsible vulnerability disclosure policy.
Vulnerability disclosure is the process by which hackers, security researchers, programmers, or other individuals report security weaknesses and flaws in a computer system to an organization. When ethical hackers discover a vulnerability in a product or system, they often attempt to disclose it to organizations and help in the remediation process before disclosing it publicly.
A vulnerability disclosure policy (VDP) is a document that details how external security personnel can report discovered system vulnerabilities to an organization and how the organization handles them before they are exploited by malicious hackers.
Vulnerability disclosure policies are essential to any company that wants to stay safe from malicious hacks and other security breaches. It allows hackers with good intentions to help you strengthen your system by explaining how they can search for vulnerabilities and when and how to disclose them.
In this article, we’ll look at a crucial aspect of a good, responsible vulnerability disclosure policy.
Checklist for Crafting a Good Vulnerability Disclosure Policy
Introduction
The introductory section of your vulnerability disclosure policy document should include an introduction to the company and the services that you offer. Make it known to the security researcher that you understand the importance of security and its impact on your organization. And that you are iteratively taking steps to ensure that your system is more secure and less vulnerable.
Also, this section should include a declaration of commitment to solving every reported vulnerability. An example of such a statement could be: “ORGANIZATION NAME is committed to ensuring the security of the consumer data by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.”
Allowed Testing Methods
Security experts employ different ways to legally attack a system to find vulnerabilities. This may be a DDoS, SQL injection, a malware attack, or social engineering. An organization should state clearly in their vulnerability disclosure policy, the types of cyberattacks that external security researchers are allowed to legally carry out on their system in search of vulnerabilities. Typically, organizations forbid external hackers from running SQL injections or DDoS attacks because such attacks can effectively disrupt business activities.
As a rule of thumb, any form of system penetration strategy that could result in loss or damage to data, disrupt business activities, or cause financial loss for the organization must be prohibited from being used by external security researchers.
Scope of Services
For organizations that offer an array of different services across different subdomains, it is important to spell out which of your services a security researcher is legally allowed to research. This is often titled an “allowlist” which enumerates which systems or services are in scope. You may also choose to use a denylist, instead, to describe items that are out of scope.
At the end of the list of allowed or disallowed services, you should include a disclaimer such as the one below:
“Any service not expressly listed above, such as any connected services, is excluded from the scope and is not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside the scope of this policy and should be reported directly to the vendor according to their disclosure policy (if any)”.
Safe Harbor
In the fear of a possible legal action, security researchers often shy away from reporting their found vulnerability to the concerned organization. In the vulnerability disclosure policy, you must clearly declare to ethical security experts who find vulnerabilities in your system that you will not press any legal charges against them, if they comply with the vulnerability disclosure policy.
Guidelines on Reporting Discovered Vulnerabilities
You must provide a guidelines section that provides ethical hackers with the necessary information they need to correctly report vulnerabilities. This section includes instructions on where the reports should be sent—a designated email address is strongly recommended. You should also include the format in which the researcher is expected to present the vulnerability information and the necessary details needed for your in-house security personnel to find and analyze the vulnerability. Such information may include the location of the vulnerability, the potential impact, and other technical information required to identify and reproduce the vulnerability. It also should include information about the timeframe for the acknowledgement of receipt for the report.
Giving ethical hackers the choice to submit vulnerability reports anonymously is best practice, allowing them to submit vulnerability reports without identifying information.
If your vulnerability disclosure program is not incentivized, you may consider including a disclaimer: “By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against the organization related to your submission.”
On the part of the organization, there must be an employee assigned to receive and respond to vulnerability disclosures. Security researchers expect to be kept informed about the receipt and resolution of their reported vulnerabilities. If an organization fails to communicate effectively, this will discourage the security reporter from testing the system or disclosing a vulnerability in the future.
Checklist for Crafting a Good Vulnerability Disclosure Policy
Introduction
The introductory section of your vulnerability disclosure policy document should include an introduction to the company and the services that you offer. Make it known to the security researcher that you understand the importance of security and its impact on your organization. And that you are iteratively taking steps to ensure that your system is more secure and less vulnerable.
Also, this section should include a declaration of commitment to solving every reported vulnerability. An example of such a statement could be: “ORGANIZATION NAME is committed to ensuring the security of the consumer data by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.”
Allowed Testing Methods
Security experts employ different ways to legally attack a system to find vulnerabilities. This may be a DDoS, SQL injection, a malware attack, or social engineering. An organization should state clearly in their vulnerability disclosure policy, the types of cyberattacks that external security researchers are allowed to legally carry out on their system in search of vulnerabilities. Typically, organizations forbid external hackers from running SQL injections or DDoS attacks because such attacks can effectively disrupt business activities.
As a rule of thumb, any form of system penetration strategy that could result in loss or damage to data, disrupt business activities, or cause financial loss for the organization must be prohibited from being used by external security researchers.
Scope of Services
For organizations that offer an array of different services across different subdomains, it is important to spell out which of your services a security researcher is legally allowed to research. This is often titled an “allowlist” which enumerates which systems or services are in scope. You may also choose to use a denylist, instead, to describe items that are out of scope. At the end of the list of allowed or disallowed services, you should include a disclaimer such as the one below:
“Any service not expressly listed above, such as any connected services, is excluded from the scope and is not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside the scope of this policy and should be reported directly to the vendor according to their disclosure policy (if any)”.
Safe Harbor
In the fear of a possible legal action, security researchers often shy away from reporting their found vulnerability to the concerned organization. In the vulnerability disclosure policy, you must clearly declare to ethical security experts who find vulnerabilities in your system that you will not press any legal charges against them, if they comply with the vulnerability disclosure policy.
Guidelines on Reporting Discovered Vulnerabilities
You must provide a guidelines section that provides ethical hackers with the necessary information they need to correctly report vulnerabilities. This section includes instructions on where the reports should be sent—a designated email address is strongly recommended. You should also include the format in which the researcher is expected to present the vulnerability information and the necessary details needed for your in-house security personnel to find and analyze the vulnerability. Such information may include the location of the vulnerability, the potential impact, and other technical information required to identify and reproduce the vulnerability. It also should include information about the timeframe for the acknowledgement of receipt for the report.
Giving ethical hackers the choice to submit vulnerability reports anonymously is best practice, allowing them to submit vulnerability reports without identifying information.
If your vulnerability disclosure program is not incentivized, you may consider including a disclaimer: “By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against the organization related to your submission.”
On the part of the organization, there must be an employee assigned to receive and respond to vulnerability disclosures. Security researchers expect to be kept informed about the receipt and resolution of their reported vulnerabilities. If an organization fails to communicate effectively, this will discourage the security reporter from testing the system or disclosing a vulnerability in the future.
Incentivizing Vulnerability Disclosure
Incentivizing Vulnerability Disclosure
Conclusion
Conclusion
See also: