Skip to main content

Responsible Disclosure

Updated Jan 30, 2024 ·

Overview

Describes the ethical practice where a security researcher discloses information about vulnerabilities in a software, hardware, or online service in confidential manner to the relevant stakeholders.

  • Allow affected party with enough time to address the vulnerability before a public disclosure.
  • Researchers contacts the owner/developer privately like sending an email.
  • Both parties agrees on a certain timeframe before a disclosure can be made.
  • This ensures the vulnerability is not exploited by a threat actor.

Bug Bounty Programs

Bug Bounty Programs encourage cybersecurity researchers to find and report vulnerabilities. Monetary rewards can be offered by organizations to incentivized researchers to participate in the organization's disclosure program in a more controlled and ethical manner. It can done:

  • Internally
  • Externally through third-party platforms

These platform include:

  • HackerOne
  • Bugcrowd
  • Synack

Benefits, Considerations, and Recommendations

Benefits of a Bug Bounty Program:

  • Helps increase security of the organization.
  • Fosters community collaboration.
  • Cost-effective, only pay for the vulnerability found.

Considerations:

  • Scope of the program
  • Rules of Engagement
  • Rewards
  • Legal protection of researchers

Recommendations:

  • Follow industry best practices.
  • Have a clearly defined scope of the program.
  • Clearly communicate permitted testing to researchers.
  • Ensure full transparency inside of the bug bounty program.