Request a Demo Contact Us

Vulnerability Disclosure

When a hacker submits a vulnerability through a vulnerability disclosure program (VDP), there is often an expectation of some level of public disclosure. There are 4 types of vulnerability disclosure.

Discretionary disclosure

When organizations opt to enable coordinated disclosure, they signal their openness to considering the public disclosure of remediated vulnerabilities, in full or in redacted form, on a case-by-case basis. Ultimately, while disclosure may be requested by the finder of the vulnerability, this decision remains the sole discretion of the organization. Removing a vulnerability from consideration for coordinated disclosure is sometimes necessary when disclosing it would result in significant risk to customers. This is the case with pacemakers, vehicles, and other IoT devices that are difficult to recall quickly or update remotely.

Coordinated disclosure

For more mature organizations, setting a “timer” for resolving and publishing every vulnerability can further encourage more active discovery, although this protocol often requires a dedicated team responsible for rapid remediation and communication. This approach is often taken by organizations that deem security to be a strategic priority and need to invest in building the best possible relationship with the security community.

Coordinated disclosure is based on good faith and is considered a best practice for all parties involved, as it encourages rapid remediation while demonstrating commitment to and appreciation of the hacker community. 66% of organizations allow coordinated disclosure for virtually all vulnerabilities.

Full disclosure

Unlike the other approaches, full disclosure is not a program policy. Rather, it is an individual instance of public communication wherein a finder discloses a vulnerability before it has been fixed. Bruce Schneier defended the merits of full disclosure in 2007, suggesting that the threat of this act is sometimes necessary to force owners to fix vulnerabilities when they are unresponsive to hackers’ well-intended communications.

However, both hackers and organizations often prefer to avoid this type of disclosure at all costs.

In fact, both nondisclosure and full disclosure are discouraged because of the asymmetric cost to only one party; either the finder is not given recognition for their effort to improve security, or the owner is not given an opportunity to fix a vulnerability before it becomes public in a way that makes it more likely to be maliciously exploited. Disclosure should be undertaken in a way that protects the owner, rewards the finder, incentivizes further research, and enhances relationships between owners and the security community.

Nondisclosure

When programs are marked as “nondisclosure,” it is understood that the finder is not permitted to communicate any portion of a vulnerability beyond the confines of the organization itself, even after it has been resolved. For nondisclosure programs, no vulnerability, regardless of type or severity, can be shared. While these programs still receive submissions, they do not encourage them.

Learn more about vulnerability disclosure

Get started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.