SafeHats | Managed Bug Bounty ProgramSafeHats | Managed Bug Bounty ProgramSafeHats | Managed Bug Bounty ProgramSafeHats | Managed Bug Bounty Program
  • Solutions
    • Enterprise Bug Bounty Program
    • The Real Hackathon
    • For Startups
  • Researchers
  • Blog
  • Resources
    • Resources
    • FAQ
    • SafeHats Guide
    • Customer Advisory Council
    • Hacker Advisory Council
    • How to sell SafeHats to your Boss?
  • Company
    • Team
    • Careers
    • Partners
    • Newsroom
  • Contact Us
  • LOGIN
  • SIGNUP
    • For Enterprises
    • For Researchers
Next Previous

Why are Self-managed Vulnerability Disclosure Programs a Bad Idea?

12 July, 2019

Vulnerabilities are inherent to SaaS based product and services. The presence of these vulnerability/bug make them susceptible to hackers with malicious intent. However, there are Hackers with positive intention, who want to help organizations in exchange for rewards and recognition. They find and report vulnerabilities, so that organizations can secure themselves or at least be prepared for eventualities. A Vulnerabilities Disclosure Program, provides white hat hackers incentive to discover and report vulnerabilities, method of communication, and safe harbor from prosecution, as long as their intention are not malicious.

While the concept may seem simple, execution is highly complex in nature. Right from ensuring participation of hackers, managing resolution of issues reported to distribution of rewards managing a program involves a lot of operational considerations. A VDP ideally should have: –

  • Reporting Forum: — A medium where a security researcher can reach out to an organisation and point the vulnerability in its product. This can be a portal created exclusively for the purpose (web page, contact form etc.), or a third-party bug bounty platform.
  • Secure Messaging: — There must be provision for securely reporting the bug so that report is accessible only to concerned authority and to ensure that there is no leak. Thus, reporting portal should be https encrypted and data must be securely stored.
  • Triage Team: — Reported issues need to be checked for validity and must be prioritized based upon severity and bug impact.
  • Ticketing Tool: — The DevOps team must be instantly notified in case a vulnerability is reported, so that the issue can be resolved at the earliest. Thus, the reporting forum must be linked to the ticketing tool used by the organisation and a flag should be raised until the issue is resolved.
  • Coordinator: — Individual or team responsible from overall administration of the VDP. They ensure coordination among everyone involved and ensure smooth process flow within the organisation as well as dispersion of rewards.

Thus, managing a VDP requires a large resource base. No wonder only a few organizations with huge internal security teams like Google, Facebook and UBER are able to manage their own programs.

For an organisation without appropriate experience and resources the program might bring more challenges than benefits. Things that could go wrong in a VDP are: –

  • Vendor contacts unavailable — The researcher may not be able to reach the vendor as appropriate contact means may not be available. Absence of dedicated resources may mean missing out on reports and true purpose of VDP might not be realized.
  • Participants stop responding — Researchers may stop responding for many reasons such as non-payment of bounty, lack of proper engagement etc. Lack of timely communication with respect to product update releases may lead to lack of response from researchers.
  • Information leaks — Improperly managed programs can be dangerous on account of information leaks. Lack of proper communication channel may lead to reaching out through public channels and improper medium as a result of which sensitive information might be leaked.
  • Redundancy — Managing information can be a herculean task as the volume of bug reported in a public program can be very high. Many of them would be invalid, or redundant. Triaging individual issues would require a lot of effort.
  • Conflict — Business impact is a subjective term and rewards received is directly proportional to it. There might be a conflict regarding bounty awarded.

Any of the above issue would result in failure of the VDP and could bring unwanted attention or disrepute to the organization. Additionally, deploying and maintaining necessary resources for an ongoing VDP would be a significant expense for the organisation.

So how do organizations who do not have a large security team create and maintain a Vulnerability Program?

A better option for organizations is to run Vulnerability Disclosure Program through Bug bounty platforms. By using a bug bounty platform like SafeHats, organisations can reach out to hundreds of talented security researchers. The platform takes care of all issues in reporting. All reports are triaged by a dedicated team of security researchers working with the platform. Thus, the need for the company to maintain a triage team is eliminated. Ticketing tools like Jira, Bitbucket can be easily integrated with bug bounty platforms. Also, recommendations are provided on resolution of the issue and hence the development team can resolve the issues faster. Operational issues like awarding of rewards is also taken care of through the platform. Thus, the complexities of running a VDP are resolved by use of a Bug Bounty Platform.

Read more on What is a Bug bounty and Why Every Organisation needs One?

More posts by

Leave a Comment

Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Why to create ‘/security’ page and responsible disclosure policy ?
  • How Much Data Breach Can Cost To Enterprises ?
  • Behind The Platform: Meet Lavanya, Our Researcher!
  • How the role of traditional CISO changes when they engage with coordinated Vulnerability management platform ?
  • Why are Self-managed Vulnerability Disclosure Programs a Bad Idea?

Recent Comments

  • Lavon on SafeHats Listed as a Representative Vendor in Gartner’s 2018 Market Guide for Application Crowdtesting Service

Archives

  • July 2019
  • December 2018
  • September 2018
  • August 2017

Categories

  • Featured Announcements
  • Featured Posts
  • Multi Author
  • Uncategorized

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

  • You may also like

    What Is A Bug Bounty Program And Why Every Organization Needs One ?

    Read now
  • You may also like

    SafeHats Listed as a Representative Vendor in Gartner’s 2018 Market Guide for Application Crowdtesting Service

    Read now
  • You may also like

    OWASP TOP 10–2017 Released After Four years — Critical Web Application Security Risks

    Read now
  • You may also like

    Benefits Of Bug Bounty Program Over Traditional Penetration Services

    Read now
  • You may also like

    Integrating Crowdsourced Application Security Testing Into SDLC

    Read now
  • You may also like

    Introducing Karma Score : How to increase your Karma score and get invited to top private programs.

    Read now
  • You may also like

    SafeHats proud to be part of Oracle Startup Cloud Accelerator Program

    Read now
  • You may also like

    Great Online Learning Resources For Wanna Be Hackers

    Read now

SafeHats is an advanced managed bug bounty platform which connects you to a crowd of highly skilled, trusted and curated security researchers to identify vulnerabilities in your digital assets

Quick Links

  • Home
  • Researchers
  • Blog
  • Contact Us
  • Sitemap

Company

  • Careers
  • Newsroom
  • Partner Program
  • Resources Featured Doc
  • Customer Advisory Council

Important Links

  • Login
  • Signup for Enterprises
  • Signup for Researchers
Copyright © 2020 InstaSafe. All Rights Reserved.
  • Solutions
    • Enterprise Bug Bounty Program
    • The Real Hackathon
    • For Startups
  • Researchers
  • Blog
  • Resources
    • Resources
    • FAQ
    • SafeHats Guide
    • Customer Advisory Council
    • Hacker Advisory Council
    • How to sell SafeHats to your Boss?
  • Company
    • Team
    • Careers
    • Partners
    • Newsroom
  • Contact Us
  • LOGIN
  • SIGNUP
    • For Enterprises
    • For Researchers
SafeHats | Managed Bug Bounty Program