Responsible Security and Responsible Disclosure: Why a VDP Matters
Anthony Matar | March 25, 2021
Tomorrow is the first day of third grade. With nervous excitement, you’re organizing all of your elementary school supplies: pencils, glue, scented markers…and the oh-so essential personality-matching lunchbox! As if it’s second nature, you take out your permanent marker and start scribbling your name and landline phone number on your things. You have no intention of losing your school gear, but a still MIA pencil bag from last year has left you taking no chances. Look out, third grade!
Ok, that’s not what you came here for. You might not have thought that I could tie this unsolicited nostalgia to a Vulnerability Disclosure Program (VDP), but here we are. A VDP—often referred to as a responsible disclosure program—is similar to writing your name and phone number on your classic school-yard items. It helps others do the right thing by knowing who to call when something has gone awry. However, only one of these concepts is vital for a mature risk program (hint: it’s not the labeled lunchbox).
What’s a VDP?
A VDP is a publicly available policy that provides clear guidelines to external security researchers (i.e., ethical hackers) or any given citizen of the world to share vulnerabilities that have been identified for an organization. The existence of the VDP makes it easy for a security researcher to get in contact with an organization to alert them to the vulnerability so that the organization can prioritize and address the security issue. No organization has perfect security, so a VDP serves as one layer of many in a mature vulnerability management program. In recognition of this reality, LogicGate has launched the LogicGate Vulnerability Disclosure Program.
Why a VDP? Isn’t it Overkill?
Imagine the following scenario: a good-faith security researcher (think “good hacker”) finds out that there is an unexploited vulnerability on your customer-facing SaaS product that could impact the privacy of your users. The security researchers want to do the right thing and share this information so that you can take the steps to ensure your users’ privacy is protected. A series of questions arise in this situation:
How can the researcher contact your organization?
Who does the researcher contact?
How does the researcher know their message has been received?
How soon will your organization triage and remediate the issue?
What happens if the researcher isn’t satisfied with your organization’s response?
A vulnerability that could expose the privacy of your customer’s information is a BIG DEAL. For both you and your customers. Your organization has every interest in handling the issue and making things right. You will also have to navigate with your legal and public relations teams what your obligations are with sharing this information with your customers.
The thing is, security researchers work by a set of motivations that are different from the “bad actor” hackers, oftentimes out of a sense of duty to the public good. If friction occurs in their ability to feel heard and be taken seriously by your organization (say, a security researcher doesn’t even know where to report in the first place), they may feel inclined to share the vulnerability in a less than desirable manner. For instance, they may post information about the vulnerability on Twitter or in a hacker forum to make the noise necessary to be heard. In these scenarios, your organization has lost control on a multitude of levels (e.g., the media knows before your customers) making a bad situation much worse.
A strong VDP sets the ground rules for how your organization will ingest and handle reported vulnerabilities (who to call when the stray school supply is found!). Even better though, it sets up a sort of dual-sided accountability in that the researchers are subject to certain expectations (e.g., agreeing to not disclose over social media) by agreeing to your VDP policy. In turn, researchers are provided a level of legal protection (i.e., “we won’t sue you for disclosing this”).
The old adage in security is “it’s not if, but when” in terms of facing a security incident. Simply pasting a security email on your organization's web page to be contacted is an okay start, but it may not sufficiently handle the type of scenario outlined above. Fortunately, a VDP is a “low hanging fruit” control in that it can be implemented with relatively low investment and the potential for big gains.
How Do I Get Started?
To get started with your own organization’s VDP, you will want to consider these high-level elements for the policy:
What does your organization commit to?
What should the security researcher commit to?
How does the security researcher know they are protected legally (e.g., Safe Harbor)?
What is the general scope of services that they can disclose vulnerabilities about?
Building a VDP will be a joint effort between your organization’s InfoSec, Engineering, and Legal teams. There are ample resources available for how to launch a standard VDP, these two are of honorable mention:
Although the program can start internally with a simple webpage with the information discussed above, there are “VDP-as-a-service” providers who can take things to the next level with options relating to vulnerability triaging and bug bounty program launches.
Managing your organization’s security is an ever-evolving process. Although a singular control can’t provide comprehensive security, layers of controls working in conjunction with one another can make a program “greater than the sum of its parts”. The implementation of a VDP is just one of many controls that can strengthen a security program and defend against the unexpected. In the same way that a lost backpack can be returned thanks to a “Please call this number…” note, an effective VDP makes it easier for external parties to let your organization know something is not how it ought to be.
About Anthony Matar
As the Senior Information Security Analyst, Anthony helps foster a security-conscious culture at LogicGate that sees its responsibility to enterprise risk management as “part and parcel” with the organization’s objectives. Prior to LogicGate, Anthony spent time in cyber risk consulting, working with numerous Fortune 1000 companies in the realm of application security, infrastructure security, and security strategy. In his own words, “a GRC tool like LogicGate would have been an absolute game-changer during my spreadsheet-heavy years in the consulting industry.”