Software is moving at a rapid pace. Even with secure coding training, a secure SDLC, and third party penetration testing, vulnerabilities still exist. Fortunately, there are many people that are happy and willing to notify you of these issues if they find them.
When we talk about external resources finding vulnerabilities on their own, we often think of bug bounties. Companies offer a bug bounty to compensate people who have identified a bug, submitted it, and followed other rules defined around the program.
A bug bounty is not the only option to provide a means for these users to provide vulnerability information. The process of disclosing these vulnerabilities is known as vulnerability disclosure. I spoke about this on the DevelopSec podcast linked below:
People often get confused between bug bounties and vulnerability disclosure. They often consider the two to be one in the same. But they are actually different. A vulnerability disclosure process should be implemented by every organization. It is the process someone would use to report a vulnerability to the organization, ensuring it makes it to the right people. There are too many instances where a vulnerability may be reported, but it gets lost in the help desk system. This happens because the identifier doesn’t have any clear path to submit the flaw. Left to their own choice, they may attempt emailing, tweeting, Facebook, or the contact us page on the website. Unfortunately, many of these methods are not monitored by the security group and the people that are monitoring them don’t have a defined process to pass the information along.
A bug bounty program is not meant for every organization, nor is every organization ready to implement one. The bug bounty program builds upon vulnerability disclosure by adding a form of compensation. The compensation can range from kudos (or a thank you) to monetary rewards. Bug bounties provide an incentive for people to proactively look for vulnerabilities within your application. Bug bounties come with their own special considerations, which are covered in other posts. If you would like to discuss more about them, contact us.
Creating a clear path of communication and clear set of expectations helps reduce the chance of a vulnerability falling through the cracks. It does mean that each vulnerability will go through an analysis process to determine the risk it exposes to the organization and its clients and the priority level. Make sure that your organization has a clear vulnerability disclosure policy and it the method to report is easy to identify.
Remember, creating a vulnerability disclosure policy doesn’t require a bug bounty. It doesn’t need to promote the testing of your applications for security vulnerabilities. It does provide a means for someone that does identify something to share that with you to help resolve it.
Jardine Software helps companies get more value from their application security programs. Let’s talk about how we can help you.
James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.