When creating our latest eBook, State of Vulnerability Disclosure: Market Insights and Trends our aim was to provide the ultimate guide to all things VDP. The final eBook, released last week, is packed with expert opinions, research, and an in-depth look at the vulnerability disclosure landscape across Europe.
To give you the full scope, we focused on both perspectives: on one side, the ethical hackers, penetration testers, and security researchers; and on the other, the information security professionals who are tasked with keeping their organizations safe.
At the core of the eBook is our original research: we conducted a survey with close to 100 cybersecurity professionals about how they feel about vulnerability reporting, VDPs, and cybersecurity in general. Their responses provide a unique perspective to understanding how VDPs are applied in the real world. Drawing on these insights, we’ve created an informative and highly practical guide to vulnerability disclosure.
In this blog post, we discuss some of the most interesting findings from our research.
A Vulnerability Disclosure Program (VDP) isn’t just a necessity for companies operating in heavily regulated industries; it’s a crucial safeguard for any organization, regardless of its sector.
In today’s digital landscape, where sensitive data is at risk and cyber threats loom large, having a VDP in place is a smart move for everyone. This includes organizations that offer software services that are accessible from the internet, those looking to minimize the chances of becoming victims of malicious cyberattacks, and those who want to showcase a proactive and conscious commitment to cybersecurity.
2. Strong VDP leads to improved security, risk management, and better relationships with ethical hackers
We asked our survey participants about the main benefits of having a VDP in place. Let’s see what they said:
More than 50% of respondents mentioned VDP’s role in improving security. By establishing a systematic process for fixing security problems, VDP enhances the organization’s overall security posture, effectively lowering the risk of falling victim to cyberattacks and data breaches.
Close to half of the respondents said that VDP helps form and maintain a positive relationship with the ethical hacker community, fostering a collaborative atmosphere where security is a shared goal.
Almost one-third of respondents also mentioned that VDP enables more efficient resource allocation by focusing efforts on addressing real vulnerabilities rather than dealing with the aftermath of unreported cyber threats.
Last but not least, around 10% of respondents think that VDP also helps with improving the organization’s reputation. In fact, VDP demonstrates to stakeholders and customers that the company takes cybersecurity seriously and is willing to collaborate with ethical hackers to protect customer data, which in turn fosters trust and credibility.
Surprisingly, 62% of security researchers we surveyed have, at some point, chosen not to report a vulnerability they discovered. Some of the primary culprits behind this were unresponsiveness from the organization and a lack of proper communication channels.
In 37% of the cases, the reason was ‘No rewards were offered’ making the incentive to report less appealing. Some participants were deterred by disagreements over the company’s disclosure terms or had previous negative experiences with uncooperative organizations, and a few even noted that the company’s website had threatening language, which further discouraged them.
All of these findings underscore the importance of having a robust Vulnerability Disclosure Program (VDP) in place. Neglecting to prepare for such scenarios by not implementing a proper VDP can expose your organization to a multitude of risks and challenges.
One standout revelation from our survey highlights the importance of cultivating a positive relationship with ethical hackers. Over 80% of the security researchers we surveyed have encountered unfavorable experiences when reporting vulnerabilities to companies. Shockingly, the most prevalent issue was a delayed response, closely followed by the scenario of receiving no response at all. A small minority (3%) even had the distressing experience of facing threats of legal action in response to their reports.
Here’s the bottom line: When someone takes the initiative to report a vulnerability directly to your organization and encounters a negative encounter, it leaves a lasting impression. This means that they’re less likely to collaborate with your company in the future.
Worse yet, they might share their negative encounter with others, creating a domino effect within the ethical hacker community. This, in turn, can significantly damage your company’s reputation within the cybersecurity space.
The sentiment among information security officers is overwhelmingly in favor of having a Vulnerability Disclosure Program (VDP): 53% of the surveyed professionals absolutely agree that companies operating within their industry must have a VDP in place, with an additional 20% expressing a somewhat agreeable stance.
As one security professional put it, “As our dependence on digital systems grows, so do the threats. Data breaches, hacks, and other cyber threats are becoming more sophisticated and frequent. VDPs allow organizations to learn about vulnerabilities in their systems that they may not have been aware of and to fix them before they can be exploited.”
Another security expert emphasized, “Cybersecurity is a shared responsibility. Hackers, security researchers, and even users can discover vulnerabilities. A formal VDP provides a clear channel for these individuals to share their findings responsibly and safely.”
These opinions underscore the critical role that VDPs play in today’s complex digital landscape, not only for safeguarding organizations but also for promoting a collective commitment to cybersecurity and the proactive identification and resolution of vulnerabilities.
While these cybersecurity insights are undeniably important, they are just the tip of the iceberg. Our eBook also serves as a practical guide for companies and information security professionals looking to establish a Vulnerability Disclosure Program.
Following our tips on getting started with initiating and implementing a successful VDP, companies can enable ethical hackers to report vulnerabilities directly to the organization. As a result of knowing their weaknesses and being able to proactively address security vulnerabilities, they will be better equipped to mitigate the risks of potentially fatal data breaches.
In summary, it is crucial to recognize that a Vulnerability Disclosure Program (VDP) is more than a mere security protocol; it stands as a strategic imperative encompassing the critical facets of security, reputation management, resource optimization, and community engagement.
In today’s landscape of corporate cybersecurity, VDPs have ascended to the status of a prevailing best practice. Many organizations from agile startups to large corporations have successfully implemented VDPs and developed long-term, positive relationships with the ethical hacker community.
In the future, we can expect to see a broader VDP adoption and a continued evolution of these policies to confront emerging challenges and threats, including a heightened focus on managing supply chain vulnerabilities, enhanced collaboration between different organizations, and a deeper integration of VDPs into comprehensive risk management and cybersecurity frameworks.