Reading Time: 5 minutes
Is your company ready for a responsible disclosure policy program?

Written by Judit Szőcs

Judit Szőcs (Marketing Manager)

disclosure policy

A company has to be mature enough to implement a responsible disclosure policy – or at least mature enough to implement its own tailor-made program. Implementing a responsible disclosure policy can show your security consciousness, yet if you do it wrong, the effects can be detrimental.

In our latest responsible disclosure blogpost we have examined the topic of bug hunting from an ethical hacker’s point of view. Now, it is time to take a look at the other side, the things companies need to think about before letting white hat hackers test their services.

    Prepare your team for a responsible disclosure policy program

    We need to emphasize that responsible disclosure policies and bug bounty programs are great initiatives if a company is mature enough. They make security and the work of companies more transparent while encouraging talented researchers to engage with security. At the same time, bug bounty programs can significantly reduce the cost of vulnerability discovery. No system is perfect, however, and companies need to provide a systematic way for researchers to report vulnerabilities.

      This systematic way is what we call a vulnerability disclosure policy or VDP.

      A VDP has to define a communication process by which ethical hackers can reach the organization and report potential vulnerabilities.

        But not necessarily all companies

        There are a few more elements a good vulnerability disclosure policy must contain. First and foremost, one has to assess if the company and the software engineering teams are ready to work together with ethical hackers. Maturity and proper security training culture are key. Do you have enough resources?

          Do you have enough resources?

          Once you have encouraged third-party participants to test your website or services – you have to timely process with the incoming reports and fix the reported issues. Once a vulnerability is reported – finders usually wait for the reply and would like to see that your company is taking the issue seriously. Before releasing a vulnerability disclosure policy you need to make sure that there are adequate processes and responsible people to handle incoming issues.

          There has to be a responsible team member who should follow-up on issues and prioritize the reported bugs. They have to identify if a vulnerability is relevant or not (already solved, not an issue or existing at all) and have to be able to escalate the important problems to technical experts.

          Yet, solving the issue is not enough. After fixing the bug the contact person has to update the finder and coordinate the publication of the issue. In bigger corporations, an internal action plan details the aforementioned process containing responsibilities, deadlines, and best practices – and the company has to be sure that all the impacted colleagues are aware of their role.
          The team needs people with good communication and project management skills as well as technical expertise to rate and evaluate the reported issues.

            Is your team skilled enough?

            Security in often lacking in higher education According to a 2016 research of CloudPassage a software engineering student can graduate from the top 10 US-based universities without having had a security course. Moreover, three of those universities did not even provide an elective course in the field.

            The skillset needed to handle security issues differs from the skill set of a developer. Implementing a responsible vulnerability disclosure policy also requires the team to have the expertise to understand the reports and fix the relevant bugs.

            Even if you have a dedicated security team – you have to build up a security mindset inside the whole company. Security is everybody’s responsibility and training engineers allows them to handle vulnerability reports and release a fix for security issues.

            We, at Avatao are creating a platform to educate developers in security. Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment in a fun and intuitive way. Topics cover web security, secure coding in Java, C/C++, Python, and also include hot topics like GDPR, payment systems, secure API design, DevSecOps and more.

            Related Articles

            Python best practices and common issues

            Python best practices and common issues

            Reading Time: 9 minutes Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.

            Where the money is: Financial cybersecurity

            Where the money is: Financial cybersecurity

            Reading Time: 7 minutes Money management moves towards complete automation, and the evolution of cybercrime follows along. The money heist has changed, we all know that. Cyberspace takes more and more of that cake, but the reason behind attacks remains the same: money, in any form.

            Security Champions: Interview with Alexander Antukh, CISO of Glovo

            Security Champions: Interview with Alexander Antukh, CISO of Glovo

            Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.

            Why do you need a security champions program?

            Why do you need a security champions program?

            Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.

            Sensitive data exposure – It’s in your hands

            Sensitive data exposure – It’s in your hands

            Reading Time: 8 minutes Exposing data, especially sensitive data, is a long-time-coming threat. Since personal information such as addresses, payment details, non-hashed passwords, config files, and so on are very popular targets among attackers, it’s obvious that sensitive information is supposed to be protected from unauthorized access.

            Compliance training for developers – From security awareness by design

            Compliance training for developers – From security awareness by design

            Reading Time: 8 minutes Compliance standards are a valuable but mostly misunderstood part of the corporate culture. Like any other certificate, a compliance certificate demonstrates that the entity/business operates according to a commonly accepted standard and signals trust towards third parties. A successful compliance certificate eases regulatory processes, opens new markets, and in general speeds up revenue generation, which is the key metric for businesses.