Governmental bodies around the world are actively promoting the benefits of having a Vulnerability Disclosure Policy (VDP) to reduce the risks of cyber-attacks.
Last month, the National Cyber Security Center published guidelines to businesses, addressing the benefits and urgency of having a vulnerability disclosure policy in place to reduce the risk of cyber-attacks. But only a few companies have such a policy.
YesWeHack, Europe's leading Bug Bounty platform, supports companies through every step of setting up a Vulnerability Disclosure Policy (VDP). They help to craft the contents of the VDP, create a VDP webpage, and set up a structured form for submitted reports. Companies benefit by receiving higher-quality reports on their security vulnerabilities and spending less time on irrelevant reports and internal vulnerability management.
Secure Framework for Coordinated Reporting Of Cyber Security Vulnerabilities
There are many ethical hackers who are willing to report vulnerabilities to companies, and help them be more resilient against attacks. Unfortunately, they were often misunderstood in the past as bad actors who were attempting to attack companies. Hence, without a formal VDP, many goodwill hackers will no longer run the risk of reporting vulnerabilities informally, and companies would miss out on valuable information for their security management.
A VDP provides a legally secure, structured framework for reporting vulnerabilities on a company's website, products or services. It ensures that those who report vulnerabilities are legally protected. In addition, a VDP showcases companies' commitment to security, by welcoming external examination - a reassuring gesture for partners and customers who value security.
The YesWeHack VDP Services
With the VDP offering, YesWeHack provides its vast experience in working with ethical hackers, managing security vulnerabilities and its ISO 27001 certified infrastructure, and offers support in the following steps:
- Support in drafting the Policy’s text and commitments
- Support in creating the customer's VDP webpages, integrated into his domain
- Provision of a secure online reporting form for vulnerability reporting
- Secure encryption of reports in the browser via PGP encryption
- Traceability of submitted reports by anchoring the proof of deposit in a blockchain
- Optional: triaging received reports
Clear Differentiation From Bug Bounty Programs
A VDP is a passive approach: it provides a secure communication channel for anyone who wants to report a bug in good faith. The reward is a heartfelt "thank you". In contrast, Bug Bounty is a proactive approach: companies invite handpicked ethical hackers, to identify and report vulnerabilities according to strictly defined rules. In return, they receive a predetermined financial reward.
Many Bug Bounty providers publish both the VDP and Bug Bounty programs on the same website, without making their difference clear enough. This can confuse hackers, and put companies in a challenging predicament. Bug Bounty hunters who were expecting a reward for their efforts, would be sorely disappointed when they do not receive it through a VDP submission. Companies would usually receive too many vulnerability reports due to the lack of differentiation, which leads to extra workload and internal resource bottlenecks.
The VDP program created with YesWeHack prevents confusion: It is published on the customer’s website (and is nowhere to be found on YesWeHack’s platform), thus avoiding any mix-up with Bug Bounty programs. Hackers would clearly see that it is purely a channel for goodwill reporting, with no expectations of being rewarded.
YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 18 000 cyber-security experts (ethical hackers) across 120 countries with organizations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs, public programs and vulnerability disclosure policies (VDP) for hundreds of organisations worldwide in compliance with the strictest European regulations.