The security team is the most important stakeholder to your VDP. In addition to the work it takes to prepare for launching and running a VDP, if your security team isn't onboard, it's more difficult to get those outside of the security team to buy in.
Sometimes there can be a sense of pride or defensiveness when it comes to introducing a VDP. The security team may feel that external security researchers identifying vulnerabilities they missed will shine light on their faults. Companies have large and complex attack surfaces and the security team simply can't be expected to have perfect coverage. The narrative shouldn't be to point fingers or blame anyone. As researchers find vulnerabilities, this data should be used as actionable feedback to help your team improve your organization's security posture. Shifting the mindset of your security team to consider external hackers as an extension of your team, not adversaries, will be vital. As previously mentioned, you'll also want to ensure your security team has had a proactive conversation on how to handle detection and response mechanisms as they relate to your VDP.
Information technology means different things to different organizations, and every company has its own set of IT related roles. For the purpose of this guide, we assume IT refers to the individuals and teams responsible for setting up, maintaining, and supporting systems and services relied upon by the business. IT teams generally want to keep things up and running. This is often tied directly to success metrics (for example, uninterrupted up time). While the notion of inviting hackers to test against systems and services they maintain can seem scary, it actually greatly benefits IT. Criminals do not abide by any rules, and could attempt to attack your organization. By creating a standardized channel for good hackers to work with your organization, you can increase the chances of identifying and fixing security issues before they are exploited by criminals. Breaches have huge costs associated with them, including time spent by IT and others, as well as potential downtime if assets need to be turned down or segmented off temporarily as a result of a breach. Having a VDP can help reduce the risk of breaches. Additionally, hacker reconnaissance can help with asset discovery and identifying rogue systems and services that were spun up without the IT team's involvement.
Unless your security team takes on the task of fixing vulnerabilities on behalf of your engineering team, you'll need your engineering organization on board with your VDP. No one likes unexpected work, and VDPs introduce a new stream of vulnerabilities that engineering teams need to address. It's important to work with leadership in the engineering organization to ensure they're aware of the timeline associated with the launch of your VDP, as well as to get buy-in from them to dedicate resources towards fixing bugs. When a VDP launches, there's typically a spike of bugs at the beginning, then it tampers down to a moderate level. Having engineering ready to fix a lot of bugs in the first few weeks of your program can help make the process much smoother for the engineering team, security team, and hackers participating in your VDP. Since you're asking the engineering team to do additional work, it's helpful to illustrate what benefits they'll get from a VDP.
Legal teams like to reduce risk. The concept of proactively inviting hackers to hack your organization, without additional context, can seem very risky. It's important to work with your legal team to see how having a VDP can reduce not only security risks, but legal risk as well. Whether you have a VDP or not, vulnerabilities will be present. Without a VDP, hackers that want to do the right thing and inform you of the issue will have no standard way of reaching you. Having a VDP in place provides a means for security researchers to help you find and fix vulnerabilities before they potentially become a legal issue. Without a channel for accepting vulnerability reports, individuals who identify vulnerabilities might either give up attempting to report it to you, or possibly publicly disclose the issue in an attempt to draw attention to it and ensure it gets fixed.
Depending on your public relations (PR) team's experience with information security, reactions from your PR team about a proposal to start a VDP could range from "when do we start?" to being shocked and entirely rejecting the idea. While the public perception of hacking has started to shift more positively, the word hacker still has negative connotations to many people. The following table outlines common questions and concerns from PR, as well as how to handle these objections.
|Aren't hackers evil? Is inviting them to hack us just asking for trouble?||No. Criminals will always exist and want to hack and exploit us, but a VDP creates an avenue to work with hackers that want to do the right thing and help us find and fix vulnerabilities. If someone wants to be evil, a VDP won't stop them.|
|What if a hacker actually hacks us, instead of helping us?||If someone has bad intentions, they likely won't participate in the VDP. Instead, they may try to remain as anonymous as possible when attacking us. Having a VDP enables us to work with security researchers that want to help.|
|By asking hackers for help, are we admitting that our own security is bad?||No organization has perfect security. Many, very well known organizations in various industries run public vulnerability disclosure or bug bounty programs to augment their existing security processes. Leveraging the global hacking community is a safety net to help find and fix anything that falls through the cracks. In fact, having a VDP can be used for positive security PR.|
|What if a hacker publicly discloses how they hacked us? Won't we look bad?||This depends on the narrative and nature of the disclosure. It's up to us to work with hackers to define agreeable terms on how disclosure works. Most organizations discourage public disclosure of identified issues until after they are fixed, and they usually work with the hacker on the writeup or blog. Without a structured means of accepting vulnerability reports and engaging in this dialogue with hackers, we increase the risk of someone getting frustrated and going straight to the press because they were unable to contact us. Many organizations proactively encourage security researchers to write-up their experience in working with the organization, as it highlights the success of the VDP. This encourages participation from other skilled hackers in the community.|
|How can we be sure that the VDP will work for us? What if we go public and something bad happens?||Most VDPs start in "private" mode, where the program is not announced publicly, and only a handful of hackers are invited to participate. Over time, more hackers are invited, and the program is slowly scaled up towards a "public" launch and announcement. We will stay aligned on timing and keep you up to date on when the program will launch publicly. When it does, we can highlight it as a positive story in how the organization works with the external security researcher community to improve security and keep users safe.|
Your sales team needs evidence to demonstrate the benefits your company has to offer over competitors. As part of the sales process, organizations often undergo a vendor security review or audit to ensure customer trust. Having a VDP in place demonstrates to your customers that you have a mature security program in place and augment it further by working with external security researchers. Additionally, if your close competitors do not have a VDP, this can be used as an advantage when speaking with prospective customers. Work with the sale's team to create a narrative to share with potential customers when questions about the organization's security arise.
|We employ a vulnerability disclosure program to augment our existing robust security processes, which acts like a safety net or neighborhood watch to help identify any security issues in production in almost real time. This helps us ensure your data is safe by reducing the likelihood of breaches. This gives us a solid advantage over our competitors that don't have a vulnerability disclosure program.|
Finance will likely be more involved when you move from a VDP to a vulnerability reward program (VRP), but they need to be included if you purchase services from a third party platform. If you decide to engage with a third party vendor to help set up your VDP, you'll likely need to budget for these services. It might seem like a small thing, but it's a good idea to speak with your finance team early on to understand their process.
To achieve stakeholder buy-in, you'll need to determine the best communication methods for your organization. If you anticipate most of your organization to be agreeable, then you can often proceed with a single proposal, solicit feedback, and conduct a single meeting to discuss any questions and concerns. If this approach won't work in your organization, then meeting with stakeholders individually to discuss their personal questions or concerns might be a better approach. Be prepared to handle objections or questions around risks associated with starting a VDP. As you pitch the idea of a VDP across your organization, you'll need to sell the benefits and confidently address real and perceived risks.