Global security threat landscape has changed drastically over the last decade. Hackers with malicious intent, also known as ‘Black Hat Hackers’ constantly find innovative ways to steal corporate data and bring network infrastructure to a standstill. Organizations creates layers of security around its application to secure it but often finds it ineffective. Organizations can’t reduce the ever growing number of Cyber attacks and it can certainly do something to reduce the impact of cyber attacks.
Good news is there also exists significant number of Ethical Hackers, also know as “White Hat Hackers” who probe various organization’s systems and responsibly report to the organization in case any vulnerability is found in the system. In return they seek for some form of rewards and recognition.
Your Organization’s Cybersecurity readiness:
Does your organization has process in place where any ethical security researcher can reach out to you and report bug ? Do you have vulnerability disclosure policy for security researchers so that they don’t feel threatened to report you ? In case of any cyber attack, Does your organizations know whom to reach out to ?
If any of your answer is ‘No’, then it is high time you should consult correct security partner and create one. /security page is the first gateway of your website that security researchers will reach out to you to report any kind of security bug that they have identified in your application. Your security page url should be like www.yourcompanyname.com/security . It contains important information like vulnerability disclosure policy, scope, link to Safehats portal to report submission, and more. You can view safehats.com/security security page to have overview about it contents.
Benefits of /Security page :
- First point of communication for security researchers to reach out to your organization’s security team
- Scope, rules of engagement, and disclosure policy sets clear expectations to security researchers.
- Bounty amount if provisioned provides incentives for security researchers to find bugs.
For Vulnerability disclosure policy, organizations can follow ISO/IEC 29147:2014 which provides guidelines for the disclosure of potential vulnerabilities in products and online services.
It details the methods a vendor should use to address issues related to vulnerability disclosure. ISO/IEC 29147:2014
- provides guidelines for vendors on how to receive information about potential vulnerabilities in their products or online services,
- provides guidelines for vendors on how to disseminate resolution information about vulnerabilities in their products or online services,
- provides the information items that should be produced through the implementation of a vendor’s vulnerability disclosure process, and
- provides examples of content that should be included in the information items.
ISO/IEC 29147:2014 is applicable to vendors who respond to external reports of vulnerabilities in their products or online services.
You can also refer to Safehats disclosure policy for more information.
You could also refer to our blog “ What is a Bug Bounty Program and why every organization need one? ”
Visit https://safehats.com for more information.