Ethical Hacking: Vulnerability Disclosure Program (VDP) Vs Bug Bounty (BB)

What is a vulnerability disclosure program (VDP)?

Organizations might ask people, such as researchers or computer security specialists, to attempt and uncover issues in their computer systems by using a vulnerability disclosure program (VDP). The objective is to identify these issues before a potentially malicious actor finds them. When security researchers began to inform companies of the problems they discovered at the beginning of the 2000s, VDPs were born. The American Department of Defence launched a VDP in 2008 called "Hack the Pentagon," where they offered rewards to researchers who discovered issues. Since then, a lot of businesses have launched their VDPs to work with security researchers.

What is a bug bounty (BB)?

A bug bounty (BB) is a type of vulnerability disclosure program, which pays people for finding and disclosing flaws in a company's systems, software, or networks. A bug bounty program's objective is to encourage security researchers and other members of the public to find and disclose vulnerabilities so that the organization can fix them and improve the security of its systems. Bug bounties often reward those who discover issues with a company's computer hardware or software. 

The inventor of the "vi" software editor launched the first bug bounty program in 1983. However, the concept of bug bounty schemes took off in the latter part of the 2000s when businesses like Google and Mozilla began to reward those who discovered flaws in their goods. Since then, numerous businesses have launched bug bounty initiatives to entice users to discover security issues in their software and computer systems.

Bug Bounty vs VDP

Bug Bounty: Bug bounties are a form of vulnerability disclosure program where organizations invite external researchers to find security vulnerabilities in their systems and software. They offer financial rewards as incentives for discovering and responsibly disclosing these vulnerabilities. Bug bounties are publicized widely, allowing anyone to participate, and participants actively search for vulnerabilities through penetration testing. Responsible disclosure and adherence to program guidelines are expected.

Vulnerability Disclosure Program (VDP): Vulnerability disclosure programs establish a framework for individuals to privately report vulnerabilities they discover in an organization's software or systems. They focus on responsible reporting and collaboration between the discoverer and the organization. VDPs don't typically offer financial rewards, but aim to provide a secure channel for reporting, prompt patching of vulnerabilities, and may publicly disclose details after an appropriate period.

How to set up a vulnerability disclosure program 

Organizations can strengthen their security posture by proactively detecting and fixing vulnerabilities in their systems or products with a VDP. Additionally, VDPs can assist organizations in improving their reputation, adhering to security standards and regulations, and gaining the confidence of the security community.

Typically, a VDP has the following components:

Scope 

The scope of the program defines the systems, products, and services that fall under its purview.

Policy 

The policy outlines the requirements for researchers who take part in the program, including the kinds of vulnerabilities that qualify for prizes and the procedure for responsible disclosure.

Communication channels 

Researchers must have a safe and dependable way to report vulnerabilities and get in touch with the security staff of the company.

Acknowledgment and response 

Outlines the procedure for confirming receipt of vulnerability reports, evaluating the risk and impact of the disclosed vulnerabilities, and contacting researchers to let them know how their reports are progressing.

Awards 

Lists the awards or bounties that are provided for truthful vulnerability reports, along with their value and payment terms.

Types of vulnerability disclosure programs (VDPs) 

Here are some common types of VDPs:

Coordinated disclosure

The most common type of VDP is coordinated disclosure, in which a company invites security researchers to report vulnerabilities and then collaborates with them to create and apply patches or solutions before making the vulnerabilities public strategy allows the organization to fix the vulnerability without alerting potential attackers to it.

Full disclosure

In a full disclosure program, the organization encourages researchers to report vulnerabilities to the public when they have been found, without any organization coordination or support. This strategy can be risky because it might reveal the vulnerability to attackers before the company can take action to fix it.

Private program

In a private VDP, only a restricted number of vetted security researchers who have signed a non-disclosure agreement (NDA) with the company are permitted access. This strategy can assist organizations in managing information flow and lowering the danger of vulnerabilities being made public.

Public program

A public VDP is accessible to any interested security researcher without the need for an NDA or pre-screening. By using this strategy, organizations can detect vulnerabilities more thoroughly and gain the confidence of the security community.

Invitation-only program

An invitation-only VDP is accessible only to a select set of security researchers who have been invited to participate and pre-screened by the organization. This strategy can assist organizations in reducing the volume of vulnerability reports that they receive and ensuring that they only get reliable information.

Program hybrid

A hybrid VDP combines two or more of the aforementioned methods. For instance, a company might have a public program for vulnerabilities with lesser severity and a coordinated disclosure program for vulnerabilities with higher severity.

Vulnerability Disclosure Program Examples

Vulnerability Disclosure Programs (VDPs) have been adopted by businesses in various industries to collect vulnerability reports from security researchers and ethical hackers. Several illustrious businesses with VDPs include:

1. Apple: Apple introduced the VDP in 2019 and provides rewards of up to $1.5 million for serious flaws in its hardware, firmware, and operating systems.

2. Google: Google offers rewards of up to $1 million for serious flaws in its goods and services, making it one of the oldest and most complete VDPs.

3. Microsoft: Microsoft has a VDP that covers all of its services and products, such as Windows, Office, Azure, and Xbox, and offers prizes of up to $250,000 for vulnerabilities that qualify.

4. Uber: Uber has a VDP that includes its websites, backend systems, and mobile applications.

5. Intel: Intel's VDP offers rewards of up to $250,000 for qualified vulnerabilities across its hardware, firmware, and software products.

6. GitHub: With a VDP that covers its online domains, API, and mobile applications, GitHub — the biggest code repository in the world — offers rewards of up to $30,000 for valid vulnerabilities.

7. Tesla: Tesla has a VDP that covers its cars, goods, and services and offers prizes of up to $10,000 for vulnerabilities that qualify.
   

The importance of vulnerability disclosure programs

Setting up a vulnerability disclosure program is an important step towards securing your applications by encouraging ethical hackers and researchers to share details of vulnerabilities in your systems before they can be exploited by malicious actors.