Instituting a vulnerability disclosure program (aka bug bounty program) that won’t blow up in the organization’s face can be a daunting task.
Some will prefer to enlist outside experts to advise them on how to do it, and others will want to rely on their own IT or security department.
For the latter, here’s some good news: the US Department of Justice has just released a guidance document for adopting a vulnerability disclosure program for online systems.
“The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs,” the document says.
“Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.”
While setting up such a program there are many, many decisions to be made:
- Which assets and data will be in scope?
- What is the degree of access to sensitive information that bug hunters will be allowed?
- Which types of vulnerabilities should the researchers flag?
- How will the vulnerabilities be reported?
- And so on.
Among the most important things that have to be executed well is drafting a vulnerability disclosure policy that “accurately and unambiguously captures the organization’s intent,” the document notes.
The US DOJ has pointed to other resources for guidance on establishing a vulnerability disclosure program, but the framework does not include guidelines on how to approach the actual plugging of reported security holes.