Vulnerabilities are inherent to SaaS based product and services. The presence of these vulnerability/bug make them susceptible to hackers with malicious intent. However, there are Hackers with positive intention, who want to help organizations in exchange for rewards and recognition. They find and report vulnerabilities, so that organizations can secure themselves or at least be prepared for eventualities. A Vulnerabilities Disclosure Program, provides white hat hackers incentive to discover and report vulnerabilities, method of communication, and safe harbor from prosecution, as long as their intention are not malicious.
While the concept may seem simple, execution is highly complex in nature. Right from ensuring participation of hackers, managing resolution of issues reported to distribution of rewards managing a program involves a lot of operational considerations. A VDP ideally should have: –
- Reporting Forum: — A medium where a security researcher can reach out to an organisation and point the vulnerability in its product. This can be a portal created exclusively for the purpose (web page, contact form etc.), or a third-party bug bounty platform.
- Secure Messaging: — There must be provision for securely reporting the bug so that report is accessible only to concerned authority and to ensure that there is no leak. Thus, reporting portal should be https encrypted and data must be securely stored.
- Triage Team: — Reported issues need to be checked for validity and must be prioritized based upon severity and bug impact.
- Ticketing Tool: — The DevOps team must be instantly notified in case a vulnerability is reported, so that the issue can be resolved at the earliest. Thus, the reporting forum must be linked to the ticketing tool used by the organisation and a flag should be raised until the issue is resolved.
- Coordinator: — Individual or team responsible from overall administration of the VDP. They ensure coordination among everyone involved and ensure smooth process flow within the organisation as well as dispersion of rewards.
Thus, managing a VDP requires a large resource base. No wonder only a few organizations with huge internal security teams like Google, Facebook and UBER are able to manage their own programs.
For an organisation without appropriate experience and resources the program might bring more challenges than benefits. Things that could go wrong in a VDP are: –
- Vendor contacts unavailable — The researcher may not be able to reach the vendor as appropriate contact means may not be available. Absence of dedicated resources may mean missing out on reports and true purpose of VDP might not be realized.
- Participants stop responding — Researchers may stop responding for many reasons such as non-payment of bounty, lack of proper engagement etc. Lack of timely communication with respect to product update releases may lead to lack of response from researchers.
- Information leaks — Improperly managed programs can be dangerous on account of information leaks. Lack of proper communication channel may lead to reaching out through public channels and improper medium as a result of which sensitive information might be leaked.
- Redundancy — Managing information can be a herculean task as the volume of bug reported in a public program can be very high. Many of them would be invalid, or redundant. Triaging individual issues would require a lot of effort.
- Conflict — Business impact is a subjective term and rewards received is directly proportional to it. There might be a conflict regarding bounty awarded.
Any of the above issue would result in failure of the VDP and could bring unwanted attention or disrepute to the organization. Additionally, deploying and maintaining necessary resources for an ongoing VDP would be a significant expense for the organisation.
So how do organizations who do not have a large security team create and maintain a Vulnerability Program?
A better option for organizations is to run Vulnerability Disclosure Program through Bug bounty platforms. By using a bug bounty platform like SafeHats, organisations can reach out to hundreds of talented security researchers. The platform takes care of all issues in reporting. All reports are triaged by a dedicated team of security researchers working with the platform. Thus, the need for the company to maintain a triage team is eliminated. Ticketing tools like Jira, Bitbucket can be easily integrated with bug bounty platforms. Also, recommendations are provided on resolution of the issue and hence the development team can resolve the issues faster. Operational issues like awarding of rewards is also taken care of through the platform. Thus, the complexities of running a VDP are resolved by use of a Bug Bounty Platform.