How a vulnerability disclosure policy lets hackers help you

In 2015, two US security researchers hacked a Chrysler Jeep as it sped down the highway, remotely sending commands to the dashboard through the car’s entertainment system. They gained control of the steering, brakes, transmission, radio – even the windscreen wipers. Nobody was hurt; the researchers were merely demonstrating a security flaw to the slightly terrified Wired journalist behind the wheel. Their work led to the recall of 1.4 million Chrysler vehicles and showed that the car industry needed to get serious about security flaws.

Roughly six months after the story was published, General Motors, in partnership with HackerOne, a bug bounty and disclosure portal provider, launched a vulnerability disclosure policy (VDP) in an effort to encourage ethical hackers to help them identify security flaws. “If you have information related to security vulnerabilities of General Motors products and services, we want to hear from you,” reads the page on HackerOne’s platform. “Please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.”

How common is a vulnerability disclosure policy (VDP)?

This open-door approach to ethical hacking is still far from the norm. HackerOne’s 2018 Hacker Report, which surveyed 1,698 members of the hacking community, found that almost one in four ethical hackers have not reported a vulnerability because the company in question doesn’t have a VDP. Those who’d tried to notify the company through other channels, such as email or social media, also claimed they were “frequently ignored or misunderstood”.

The situation is slowly improving: 72 percent of the respondents in the report said companies were becoming more open to receiving information on vulnerabilities. But 94 percent of the Forbes Global 2000 still haven’t published a VDP – something they may come to regret.

“If somebody outside of your company knows about a security issue that your team doesn’t know about, that’s a big risk because that unpatched vulnerability could be exploited by a criminal,” says Michiel Prins, co-founder of HackerOne. “If you don’t have a vulnerability disclosure policy in place, you will always have that exposure.”

Unlike bug bounty programs, VDPs don’t offer ethical hackers a financial reward for finding security flaws, but they can still be incredibly effective. The US Department of Defense, for example, has reportedly received and resolved nearly 3,000 vulnerabilities thanks to its VDP.

Google, Microsof,t and Apple have also used VDPs for many years, and they have mature processes in place to deal with reports of vulnerabilities. New entrants to the software market, or companies whose operations have recently become intertwined with the internet (such as car manufacturers), might not realize they need one.

“Until that first [external] report comes in, a lot of organizations just aren’t watching for them,” says Art Manion, vulnerability analysis technical manager in the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and co-author of the CERT Guide to Coordinated Vulnerability Disclosure.

What should a VDP include?

A VDP effectively gives ethical hackers, research teams, academics and other external parties permission to remotely access the systems outlined in the policy and dig around for vulnerabilities. A safe harbor assurance is particularly important to hackers and researchers, who are effectively putting themselves at risk by notifying an organization of a security flaw.

“It’s a kind of assurance to the ethical hacker community that when they act in good faith, and they follow the rules of your program, there will be no penalty or law enforcement involvement,” says Prins.

Aside from this assurance, “Scope is, hands down, the most important component of a VDP,” says Kimber Dowsett, a security architect currently serving at 18F, a specialized technology division within the US General Services Administration, who drafted the organization’s first vulnerability disclosure policy. “It’s important to determine – and clearly state – which assets are up for grabs.”

When deciding this, organizations must consider data sensitivity, the resources available for remediation, and the overall stability of the asset, she explains. “It doesn’t make any sense to have unstable or untested assets in scope, particularly if those assets house sensitive data.”

As HackerOne detail in their guide to the critical components of a VDP, a VDP should also include clear instructions for how to report a vulnerability and what information should be included in their submission. In addition, it should open with some sort of explanation for why the company has chosen to publish it (typically their commitment to security); an indication of when the person reporting the vulnerability can expect a response; a promise of credit for finding the flaw; and if and when they have the organization’s blessing to publicly disclose it.

“Even just saying it takes us on average 48 hours to fix things, or three months to fix things can help to set expectations. That kind of expectation setting goes a long way towards not having an accidental disclosure later on,” says Manion.

How can companies make this work in practice?

Putting all this information together and publishing it online is a relatively straightforward process. “The VDP itself can be created from available open source templates or existing policies,” says Dowsett, “through a vendor who specializes in VDPs (bug bounty providers are a great start), or with your organization’s legal team following the guidelines established by the Department of Justice [in the US].”

However, putting processes in place internally to deal with the vulnerabilities people report requires a bit more time and effort. “When your security team receives the report, they need to identify whether it’s a valid vulnerability, and find out which team inside the company is responsible for mitigating the risk before handing it off to them to resolve,” says Prins.

“Defining and implementing a VDP requires collaboration from several different teams to make sure that introducing the policy doesn’t open a floodgate of reports that your organization may or may not be in a position to fix before researchers publish their findings publicly,” says Dowsett. “You will almost certainly receive out-of-scope reports, but it’s a lot better than hearing about your vulnerabilities via social media posts.”

The massive Equifax data security breach last year showed that a laissez-faire approach to vulnerabilities can have devastating business consequences, and the UK Government recently announced that infrastructure firms that fail to protect themselves effectively from cyberattacks will soon face fines of up to £17 million [$24 million]. All of which means that VDPs, to borrow a phrase from the car industry, are more likely to come as standard in future, rather than being treated as an optional extra.