What is Vulnerability Disclosure Philosophy (VDP)?
Any business launched online in the cyber network is inevitably at risk of vulnerabilities — bugs and issues that can endanger the business infrastructure as well as public information and create irreparable damage. Consequently, many organizations are now using vulnerability rewards programs (VRP) such as Bug Bounties in order to have a safer business online by patching and remediating these vulnerabilities before publication and creating further damage. Though, in these programs, an undeniable need for a Vulnerability Disclosure Philosophy (VDP) is tangible.
V.D.P determines how the vulnerabilities, which are previously found and reported by hackers to the developers as certified bugs, should be publicized. This guideline, as a previously-set and transparent instruction, minimizes any kind of possible conflict between a bug finder and the developer in the publication process. A VDP usually includes all the factors to be accounted for including the date and process of vulnerability disclosure as well as the bounty payment process.
According to a Vulnerability Disclosure Philosophy instruction, the two parties should respect the terms and guidelines and put their efforts into creating a better experience in a Bug Bounty program for both the hacker and the business owner.
The hacker should guarantee to respect the privacy of the business, not gaining any unauthorized access nor destroying any data. Also, he/she should be committed not to damage the structure of the online business through his efforts to find vulnerabilities. This will prevent any unwanted damage to the provider’s information in the process.
On the other hand, the provider’s security team should try their best to resolve the issue in a transparent and fast manner, provide the hacker with public recognition, and pay the bounty in time. In addition to that, they are banned from taking any unreasonable punitive action against hackers such as legal repercussions.
Vulnerability disclosure process
Initially, the provider publishes a program policy, providing guidelines for the research into their product or service, which should be carefully read and observed by any hacker taking part in the program. Then the hackers take action to find any issue in the set boundaries, and once found, the finder can report the issue to the appropriate program on the bug bounty platform. This report should provide a detailed description of the issue as well as clear and exact steps and a working proof-of-concept. At this moment, the vulnerability should remain private and no publication should take place in order to give the provider adequate time to remediate the problem before the disclosure.
After the report is closed, the disclosure can take place by the request of either the finder or the provider. Usually as a default procedure, with no objection from either side, the report is made public in 30 days; although, in case of a mutual agreement, the provider and finder can settle for a definite deadline for the vulnerability to be disclosed. Furthermore, if the public data is at stake, the provider can take action and publicize the issue as soon as reported to provide remediation details to the public to give its users head-ups to take protective actions.
In case of a complicated issue, the provider can request an extended timeline to remediate the problem fully. But if no result is achieved after 180 days, the content will be publicized regardless of the inability of the provider to solve the issue and the hacker receives the proper recognition. Through the guidelines of Vulnerability Disclosure Philosophy, both parties’ interests are taken into account as well as the public interest; and a safe, trustable, and well-structured process is created for both finders and providers to achieve their goals in a bug bounty program.
In addition to all said, private programs are also available in a Vulnerability Reward Program as non-disclosure deals, determining strict non-closure policies from providers who want to keep their information and data to themselves exclusively. By joining one of these programs, the hacker is committed to NDAs and specific policies and is banned from any kind of public disclosure.
There are several requirements for a hacker to receive public recognition after reporting a vulnerability. The hacker should be the first one to report a particular issue; the vulnerability should be validated to be confirmed as a valid problem; and finally, the hacker should have obeyed the specific guidelines and policies all the way through.
Following all these steps, the hacker will get his/her previously-set reward as well as public credits, and the provider patches the issue that could later on lead to bigger problems. In conclusion, using this carefully programmed procedure in the form of ISO/IEC 29147:2018: Vulnerability Disclosure in Information Technology standard, vulnerability rewards programs are thriving more than ever.
Finally, the public trust is raising regarding bug bounty programs, leading to More than $40 million worth of vulnerabilities reported only in 2019 through this platform, which was more than all the years before combined. After all, we can define Vulnerability Disclosure Philosophy as a platform for mutual trust and reliability for both sides to participate in crowdsourced security programs in order to have a safer network online and a better experience in using bug bounties.