Bugcrowd is excited to announce the launch of self-service Vulnerability Disclosure Programs (VDP). It’s pretty easy—just enter a credit card to get started with our VDP service. You can now rapidly engage security feedback from anyone in the world within a secure framework with a Bugcrowd VDP.
To celebrate the launch of the new self-service VDP portal, new VDP customers and existing Bug Bounty, Pen Test and ASM customers can access an introductory plan that includes managed triage for your first 15 or 75 vulnerabilities, depending on your chosen plan.
What is a Vulnerability Disclosure Program?
A Vulnerability Disclosure Program offers a structured way for the global security community to report security issues and vulnerabilities, and typically includes a framework for intake, triage, and workflows for remediation. Think of it as a “neighborhood watch” that encourages the public to “say something if they see something.”
Vulnerabilities or weaknesses in IT services, code, critical systems resources and/or processes offer malicious actors an opportunity to compromise your digital assets. Vulnerabilities can surface in many forms such as the exfiltration of sensitive data, the theft or extortion funds through ransomware attacks, and the degradation of critical organizational capabilities, to name a few. If left unprotected, these vulnerabilities can negatively impact your customers and brand. Look no farther than recent Colonial Pipeline Attacks for an example of what we strive to avoid with Bugcrowd VDPs.
Statistics show us that the average software application may have between 15 to 50 defects or “bugs” for every thousand lines of code. The defects not discovered during the typical software development cycle may be found months and sometimes years later by capable malicious actors. Configuration errors are additional sources of vulnerabilities and often emerge due to mistakes made in production deployment. Configuration errors may also inadvertently expose your organization to a dangerous breach.
For these reasons and more, all organizations can benefit from a structured VDP to identify and remediate vulnerabilities discovered outside the typical software development life cycle.
Benefits of Bugcrowd’s Vulnerability Disclosure Program
Bugcrowd’s VDP enables you to securely accept pre-triaged vulnerabilities and rapidly remediate issues submitted from the global security community. With our self-service option, you can typically onboard and launch your VDP program in days.
With Bugcrowd’s self-service VDP, you can:
- Act quickly: Reduce your time to get a VDP in place and lower your costs, both for implementation and ongoing maintenance.
- Reduce risk: Securely accept, triage, and rapidly remediate valid vulnerabilities submitted from the security community. 87% of organizations have received a critical or high priority vulnerability through a VDP.
- Improve security ROI: Visualize and prioritize your entire threat landscape so you can stay ahead of the cyberattacks. Organizations have saved up to $60 million in vulnerability management costs using Bugcrowd VDP.
- Accelerate digital transformation: Digitize workflows and align security testing with your release cycle so you can ship secure code faster.
- Drive better decisions: Deliver context for risks and systems on your entire internet footprint with actionable intelligence for risk management.
- Increase transparency: Demonstrate transparency to the security community and improve customer confidence.
- Protect brand value: Identify vulnerabilities and take proactive remediation steps that will help you enhance the security of your brand.
- Lower operational overhead: Centralize incoming reports on a cloud-based, managed solution that seamlessly integrates into your existing SDLC, delivering frictionless setup with low maintenance.
- Increase security maturity: Build stakeholder confidence and trust by protecting digital assets and responding to known risks.
- Formalize security feedback: Create a channel for security feedback and a framework to manage vulnerabilities discovered by researchers
- Meet compliance requirements and align with best practices: Meet the compliance requirements for VDP specified by governments around the world, and support best practices defined by the US Government, NIST, DOJ, FDA, and others.
In addition to these benefits, Bugcrowd Vulnerability Disclosure implements the rules of engagement you require for an ethical hacker to identify and submit information on discovered security vulnerabilities. Disclosure policies guide and establish the communications framework for the report of discovered security weaknesses and vulnerabilities. Bugcrowd’s VDP enables all parties to exchange data formally and consistently and to confirm receipt of the communications.
A Managed Approach to Vulnerability Disclosure Programs
Bugcrowd provides a managed approach to VDP. Customers rely on us to monitor the intake channels, triage the findings, and provide feedback to the submitting party.
When getting started, companies can deploy a VDP in stages, often referred to as a “crawl, walk, run” approach. The simplest way to start is just to receive vulnerabilities via email. This allows your organization to get used to participating in a VDP which can often deliver a large amount of vulnerabilities soon after launch. The next step up is to embed a VDP submission form directly into your website. Doing so will more publicly display your intentions to proactively protect your organization and demonstrate your engagement and transparency with the security community. Finally, you can also post your VDP directly on the Bugcrowd platform by upgrading from our basic plans to maximize engagement. In this way you can provide additional visibility to our diverse community of security researchers and further encourage their support and participation.
In summary, Bugcrowd’s self-service VDP is an essential tool in a layered cybersecurity approach. By opening this channel to the global security community, you’re not only demonstrating your commitment to protecting your digital assets and customers, but also responding to and remediating known risks faster.
To learn more about our self-service VDP plans and to sign up, click here. You can also download a copy of The Ultimate Guide to Vulnerability Disclosure for more information about how vulnerability disclosure programs work.