When done well and built on a foundation of broader vulnerability management best practices, internally developed vulnerability disclosure and bug bounty programs can be a good addition to your security arsenal. Managed programs on commercial bug bounty platforms only help with the initial triage, but a healthy vulnerability disclosure program doesn’t stop there.
Getting executives to invest in security can be a significant challenge. Leadership is going to need more verification than just the CISO’s scout’s honor pledge that they’re taking the right steps to secure their organization. Unfortunately, vulnerability disclosure is often treated like a stand-alone problem in cybersecurity that can be almost fully outsourced, but in reality, it touches every security process inside an organization.
That’s where Luta Security comes in. As the foremost experts in vulnerability coordination, we’ve got the chops—and a provable methodology—for attesting to the efficacy of vulnerability disclosure and bug bounty programs.
This methodology is called the Vulnerability Coordination Maturity Model (VCMM), developed by Luta Security’s founder and CEO, Katie Moussouris. The secret sauce to this methodology is that it holistically assesses an organization’s security capabilities across five key areas. We base a lot of our thinking and measurement around the fundamental truth that bug bounty and vulnerability disclosure programs (VDPs) are only truly effective when they are part of a larger, holistic security strategy.
You see, simply receiving information about a newly found vulnerability, or actively incentivizing researchers to dig up a previously unknown flaw, is only a tiny part of what it takes to reduce risk and increase resiliency in software. Vulnerability coordination needs to be built on a foundation of the proper mix of people, processes, and technology. The proper foundation makes it possible to address code issues before publicly released, track bugs no matter how they’re discovered, prioritize them, and task the right people to systematically fix and remediate these flaws based on their risk to the business and to customer privacy and safety.
Ultimately, third-party vulnerability disclosure and bug bounty programs should never be the main path to discovering software insecurities. They should be supplementing work that an organization already puts in on a daily basis to discover and remediate flaws and insecure configurations in their software deployments.
That’s true whether an organization invests in their own internal disclosure and bounty processes or buys into commercial bug bounty platforms managed by someone else. At the end of the day, there is no outsourcing or bug bounty-ing one’s way out of needing to build the underlying support structure provided by essential security functions like incident response, methodical patching, and security development lifecycle processes.
That’s the whole premise of VCMM, which evaluates organizations’ internal vulnerability disclosure and fixing practices in the context of their broader security strategy. This context is key for organizations that want to validate their preparedness for positive software security outcomes, rather than simply just proving that they regularly pay out bug bounties to researchers.
Managed programs on commercial bug bounty platforms only help with the initial triage, but a healthy vulnerability disclosure program doesn’t stop there. Internal prioritization of bug fixes along with integration of software development lifecycle, incident response, and threat intelligence are the keys to a successful end-to-end process. This is how vulnerability disclosure done properly can actually improve an organization’s security.
We recently wrapped up validation work on a VCMM engagement with cryptocurrency exchange Kraken that illustrates this dynamic. Its team has taken great pains to build its cybersecurity program as a key differentiator for its business. A big part of that has been tending to the security of its technology through mature vulnerability management practices, including a well-designed and executed bug bounty program. Because Kraken invested significantly in its internal resources, its security practices are healthy. Kraken performs its own end-to-end vulnerability disclosure program management, skipping the cookie-cutter bounty programs offered by the commercial bug bounty platforms and instead created a program that perfectly fit its needs. As a result, Kraken got high marks in its VCMM assessment.
“Our strategic investments in people, processes and technology are advancing our security maturity, helping to further protect the exchange and our clients. Luta Security was able to quickly assess our vulnerability disclosure processes and internally-managed bug bounty program to confirm that we are on the right track,” said Nick Percoco, Chief Security Officer, Kraken Digital Asset Exchange.
Identifying Gaps - Addressing Weaknesses - Advancing Security Maturity