By Josh Neame, CTO, BlueFort Security
For those of us who’ve worked in cybersecurity for a while, vulnerability disclosure programs aren’t new (the first official program launched in the mid-1990s). One could argue they’re just another tool in the armoury of defences that a company may choose to invest in.
Yet to my mind there’s something that makes VDPs a little bit special. First, they are a very effective and efficient way to identify vulnerabilities. But more than that, the driving force behind them is a community of really talented ethical hackers (or security researchers as many now wish to be known as). Often operating out of sight, these software super sleuths make it their mission to track down vulnerabilities in some of the world’s most critical and powerful organisations.
VDP, DOD & MOD
The US Government launched its ‘Hack The Pentagon’ initiative in 2016, opening the door for security researchers to look for vulnerabilities in some of its most prized assets. Since its creation, the program has seen more than 600 ethical hackers invited to find bugs in Department of Defence (DOD) resources, resulting in the disclosure of more than 700 issues so far.
Our very own Ministry of Defence (MOD) has followed suit these past few years launching its own VDP. One could argue that it couldn’t come soon enough as this time last year it was revealed that the MOD had 11 legacy systems at a critical level of risk. To underline how serious it was about the program, it dropped £2.5m into the bug bounty pot to encourage security researchers to dig deep.
Cybersecurity Rock Stars Giving Back
Hackers come in many colours, as this recent article in TechTarget explains. When it comes to VDPs, we’re talking about the white-hatted ones that are law-abiding security specialists that only hack within legally permitted, and usually pre-determined parameters.
Santiago Lopez is arguably one of the most well-known security researchers on the planet. He is famous for being the world’s first millionaire hacker, at just 19. He’s been widely profiled on pretty much all the major media outlets – BBC, Wall Street Journal, and Forbes to name a few. An avid supporter of security researchers the world over, Santiago has built a business based on offering his “secrets, strategies, and methodologies to the community”.
Closer to home there’s Dr Katie Paxton Fear, a lecturer in cybersecurity at Manchester Metropolitan University. Like Santiago, Katie is no stranger to media appearances, and uses her platform to help organisations and individuals alike protect themselves from cybercriminals. This recent Daily Mail video is a cracker!
What actually is a VDP?
A VDP (Vulnerability Disclosure Program) is a structured process that allows security researchers, ethical hackers, and the public to report security vulnerabilities in an organisation’s systems. Like the hackers themselves, VDPs come in all manner of guises. Just as there’s no single universal pre-defined cybersecurity program, VDPs are unique to every individual business. The one common trait they share is that behind every program are security researchers who are looking for security flaws and vulnerabilities in an organisation’s IT infrastructure; all designed to bolster your cybersecurity defences.
VDPs in the context of NIS2
By now we’re all familiar with NIS2, the EU regulatory framework designed to enhance the overall level of cybersecurity across member states. The goal of the framework is to provide a common level of cybersecurity across the European Union, protecting essential services and the digital economy from the growing threat of cyber attacks.
NIS2 is targeted at essential CNI sectors such as energy, transport, banking, and digital infrastructure. However, the scope of the updated directive has widened significantly and now includes a bunch of other critical sectors such as space, waste water, food, and manufacturing. Even IT service providers fall under NIS2’s extended remit!
Article 21 of the directive outlines ten cybersecurity risk management measures to be adopted by in-scope entities. This includes security in network and information systems acquisition, development, and maintenance, as well as vulnerability handling and disclosure.
Specifically, the directive lays out three key attributes that security measures must include which directly relate to a VDP. Broadly speaking these are:
- Establishing a VDP that allows security researchers to identify and report vulnerabilities
- Have communication channels in place to facilitate responsible disclosure
- Ensure that your VDP is integrated into the organisation’s broader risk framework.
What vulnerabilities might be uncovered?
Contrary to what Hollywood will have us believe, (Top 40 Cybersecurity and Hacking Movies) the top ten vulnerabilities reported to customer programs according to HackerOne’s annual Hacker-Powered Security Report) are far from extraordinary. In fact, they’re pretty common. Our old friend Cross-Site Scripting (XSS) tops the charts, closely followed by Information Disclosure, Improper Access Control, and the old chestnut of Misconfiguration. That said, however ordinary these flaws might be, they can still pack a punch. Knowing about them and fixing them before any damage can be done is the name of the VDP game.
Want help getting started?
BlueFort’s methodology of Continuous Cyber Discovery delivers a comprehensive understanding of your tools, assets, policies, and APIs across your entire IT estate – on-premise, in the cloud and hybrid. When it comes to VDPs, we can support you along your journey to creating and delivering a responsible disclosure program, whether that’s a VDP, Bug Bounty, Pen Testing, Red Teaming, or a combination.
If you’re in the CNI sector or any other organisation in scope of NIS2, and you’d like to explore the benefits of a VDP – improved security posture, enhanced reputation through responsible disclosure, and fostering a collaborative relationship with the industry’s software super sleuths – schedule some time in my calendar, drop me an email, or give me a call. You can learn more about VDPs in our latest whitepaper.
Josh Neame, CTO
https://calendly.com/joshneame
01252 917000
info@bluefort.com
