Bug bounty platform urges need for firms to have vulnerability disclosure policy

Organisations should have a vulnerability disclosure policy to provide a proper channel for anyone to report security holes in their systems, says YesWeHack's Asia-Pacific head, who advocates this as more important than running bug bounty programmes.
Written by Eileen Yu, Senior Contributing Editor

Organisations should provide a proper channel through which anyone can report vulnerabilities in their systems. This will ensure potential security holes can be identified and plugged before they are exploited. 

Establishing a vulnerability disclosure policy (VDP) also would provide assurance to anyone, such as security researchers, acting in good faith that they would not face prosecution in reporting the vulnerability, said Kevin Gallerin, Asia-Pacific managing director of bug bounty platform, YesWeHack. 

In fact, creating such policies was more important than running bug bounty programmes, Gallerin said in a video interview with ZDNet. He noted that more companies today were embracing the need for a VDP, detailing a "safe and clear framework" through which information about security vulnerabilities could be submitted and how these should be handled within the organisation. 

Without a proper policy in place, security researchers might be less inclined to report a vulnerability or, when they did so, might not receive a response since the organisation's employees lacked guidance on what they needed to do.

"The information [then] gets lost and forgotten until the vulnerability eventually gets exploited," Gallerin said, adding that a proper VDP would provide a structured channel to report security issues and mitigate the affected organisation's risks by reducing their time to remediation. "We're a strong advocate for this."

YesWeHack's service offerings include helping enterprises establish their VDP, integrating vulnerability management with their internal workflows, as well as review and recommend changes to their existing VDP. 

The vendor was seeing growing demand for both its bug bounty and VDP services in this region, including China, Indonesia, and Australia, Gallerin said.  

Headquartered in France, the vendor has an office in Singapore and currently is running bug bounty programmes for Southeast Asian e-commerce operator, Lazada, and Chinese telecoms equipment manufacturer, ZTE. Some 30% of its customer base are in this region, of which half are in Singapore. 

Gallerin told ZDNet that YesWeHack was targeting for Asia-Pacific to account for half of its global clientele, adding that the bug bounty platform currently works with some 10,000 security researchers in this region. It has a global network of more than 25,000 security researchers. 

Its triage team comprises full-time employees in Singapore and France, who divide their time between triaging--to assess submissions in bug bounty programmes--and supporting research and development projects for internal deployment as well as tools for the hunter community.

It previously ran a private bug bounty programme for Lazada, which saw $150,000 in bounties handed out to bug hunters, he said, but declined to say how many vulnerabilities were identified. The e-commerce operator had started out with smaller, private bug hunting exercises before gradually scaling up and launching its public bug bounty programme last month with YesWeHack, Gallerin said.

He noted that most companies in Asia, compared to their US or European counterparts, were less comfortable discussing potential vulnerabilities in their systems and preferred to run private bug bounty programmes. They did, however, realise there likely were security holes their own teams had overlooked and saw bug bounty programmes as a way to identify, and plug, potential vulnerabilities, he said. 

The main objective here was to prevent potential data breaches, he added, which was a common concern amongst Asian companies, especially as businesses today increasingly were collecting and managing large volumes of personal customer data. 

According to Gallerin, YesWeHack's hacker community had been able to find at least one critical vulnerability--which enabled full access to user data or infrastructure--in most bug bounty programmes it ran. 


Editorial standards