Programs are often faced with the decision of whether they should go with a Vulnerability Disclosure Program (VDP) or a Bug Bounty Program (BBP) without really knowing the difference between the two.
A vulnerability disclosure program solely gives clear guidelines for how an organization would like to be notified of potential security vulnerabilities found by external third parties. It’s intended to give finders directions on how and where to report a vulnerability so that the proper team can address them.
VDPs are often called the “see something, say something” of the internet. It’s best practice to have a public-facing vulnerability disclosure policy as it encourages others to report security risks that they notice or find.
What’s included in a VDP?
There are 5 key components of a VDP. They are:
The opening statement of a VDP should include the reasons why you have a VDP and why it’s important to have.
This is to demonstrate your commitment to customers and other stakeholders that are potentially impacted by your security vulnerabilities.
Indicates what properties, products and vulnerability types are available to find vulnerabilities for. This helps finders in regards to what assets they should or shouldn’t focus their attention on.
A statement that assures finders that they won’t be penalized or have legal action taken against for the vulnerabilities that they find.
A description of the process of how finders should submit reports and what information is required in a submission.
How reports will be evaluated
A descriptive outline that sets expectations for how reports will be evaluated.
You can include:
The expected time finders should wait between submission and the first response.
How response times will be vary depending on the severity and the asset that’s affected.
When finders can publicly disclose their found vulnerabilities.
Whether finders can expect a confirmation email or not.
A bug bounty program incentivizes external third parties to find security vulnerabilities in a company’s software and report them directly to the company so they can be safely resolved. In return, the finders of the vulnerabilities are rewarded with monetary prizes.
BBPs have the option to be private or public, where you can choose which will work best for you. BBPs are also a bit more complex than VDPs as there are a lot more components and settings to configure such as a bounty structure and response targets. You can see all the settings that need to be configured for BBPs under general settings.