Why You Need a Vulnerability Disclosure Program (VDP)

Originally published by Synack.

Written by Ron Ulko.

What is a Vulnerability Disclosure Program (VDP)?

Virtually all computer systems have vulnerabilities in their applications or infrastructure, and persistent hackers are constantly probing for those vulnerabilities to see if they can breach security defenses for malicious purposes.

But there are also independent security researchers and ethical hackers who are testing systems and discovering vulnerabilities. They want to report vulnerabilities they have found to the organization. But unless there is a public and well-defined policy in place, there is no efficient way for the organization to accept and process vulnerability reports. Researchers finding a bug may not know how to report it to the organization. They may not have any confidence that the vulnerability will be addressed. And they may even be afraid of legal repercussions as a result of their hacking activities.

A Vulnerability Disclosure Program (VDP), also known as a Responsible Disclosure Program, is a comprehensive framework an organization develops and makes publicly accessible for responding to cybersecurity threats. It harnesses the power of crowdsourcing by creating a channel for ethical hackers, security researchers and the general public to report security vulnerabilities to the organization, ensuring that the vulnerabilities are addressed before they can be exploited by malicious actors.

CISA Directive for U.S. Federal Agencies Demonstrates Value of VDPs for Broad Sectors

The U.S. government has recognized that having a VDP is an essential component of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems. The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive BOD 20-01 in 2020, requiring federal agencies to establish policies that enable the public to report vulnerabilities. In its first year CISA’s VDP platform helped agencies address more than 1,000 bugs. Nearly 15% of those bugs were critical, the most serious and dangerous in severity.

Components of a Successful VDP

Having a VDP in place sends a message to clients, investors and target markets. It demonstrates that the organization is serious about its security posture and it provides a process for positive and productive engagement in the cyber community, advancing a shared goal of detecting and remediating threats. And many standards such as the ISO/IEC 27001, PCI DSS, NIST Cybersecurity Framework, and OWASP ASVS, require organizations to have a mechanism in place for receiving and responding to vulnerability reports.

A successful Vulnerability Disclosure Program needs to specify how external parties are to report discovered vulnerabilities, and how the organization will receive those reports and process them through to remediation. At a minimum, the Vulnerability Disclosure Program should provide:

• A declaration of the organization’s cybersecurity policy regarding vulnerabilities
• Clear and accessible methods for researchers to file a report, e.g. dedicated email address, web portal
• Definition of expected response (time window, remediation results, recognition, etc.)
• Defined process for analyzing and remediating the reported vulnerability, including collaboration options and remuneration, if appropriate
• Scope of what is and what is not fair game, and what is off limits to researchers
• Declaration that valid research activities will not result in legal action

How a Vulnerability Disclosure Program Can Reduce Incident Cost

The immediate costs associated with a cybersecurity incident are normally obvious. Was there a loss of revenue, did they pay a ransom, did they suffer a reputational hit, etc.? But in addition to these costs the organization also incurred an employee cost, the time that employees across the impacted organization spent working on the incident. And the cost applies not only to the front-line security team.

Every time a person, from a level-one customer care rep to security and development managers, all the way up to the CIO, examines a report, documents it, determines its severity, develops a remediation, verifies a resolution, or makes follow-up recommendations, there is a salary cost and an opportunity cost. So defining the process with the objective of making it more efficient in mind can result in significant cost reductions associated with the handling of incidents.

One simple example based on a typical incident at an enterprise-level organization without a VDP in place calculated an employee time cost of $1,900 per incident. With a comprehensive VDP in place that incident cost drops to $288, a savings of $1,612. At first glance that may not appear to be a significant savings. But if the organization needs to handle just 100 incidents (indeed, enterprise-level organizations process a lot more than that) the annual savings becomes $161,200, more than justifying the cost of developing and administering the program.

And these employee costs apply not only to a breach, but also to a voluntarily disclosed vulnerability. Not having an organized way to handle reported vulnerabilities leads to inefficiencies both in terms of how many people get involved with the report and the time it takes to respond to the researcher.

With a VDP in place there is a process to ensure that the report is handled efficiently with minimum impact to employee time. It also ensures that the researcher submitting the report gets a response in a timely manner so there is less chance that the researcher will get discouraged and perhaps even disclose the vulnerability publicly potentially exposing the organization to a breach.

Consider a Managed VDP

You might be thinking – OK, having a VDP will help me discover and deal with vulnerabilities and keep me connected to the cybersecurity community. But someone has to manage the process. My security team is already overstretched.

This situation is not uncommon. No matter how much you automate the process, it still has to be managed. That’s why you should consider contracting with a third party to manage your VDP. Cybersecurity companies with expertise in penetration testing and vulnerability management can manage your VDP program for you.