Are you afraid of starting a vulnerability disclosure policy or bug bounty programme? You shouldn’t be! Quite the contrary, as Valéry Vander Geeten of the CCB and Stijn Jans of Intigriti made perfectly clear in their cybertalk.
With a little help of 20.000 friends
A ‘coordinated vulnerability disclosure policy’ (CVDP), supported by a bug bounty programme, provide perfect, even necessary complements to classic security measures (as e.g. pentesting). The advantages are many, as these initiatives provide a continuous testing effort by as many ‘researchers’ as you want (from a select group to a world wide community) in a controlled way (you determine the scope). Furthermore, rather than paying for ‘time spent on the job’, you only offer rewards for actual impactful vulnerabilities. As this will be new for many organizations, the CCB authored a guide about establishing a CVDP, while publishing such a policy of their own on their site.
Calling upon a partner as Intigriti to set up a ‘bug bounty’ programme can be a big help, as they provide you with a community of vetted researchers, and take care of a structured handling process (including advice, communication channel, validating claims, etc.). That leaves you as an organization free to focus on its internal process of mitigating those vulnerabilities.
Bluntly, CVDP and bug bounty programmes will not replace classic security measures, but may be regarded as absolutely necessary complements. Do consult this cybertalk to learn about the benefits and why these initiatives really are a must.