Vulnerability Disclosure Programs

This is a quick post on what a vulnerability disclosure program. I will explain it in more detail later on.

A vulnerability disclosure program, also known as a bug bounty, is a program in which a company allows independent researchers to report vulnerabilities to the interested the company.

To put it in other words. You own a company, a security researcher approaches you. He lets you know of a potentially dangerous vulnerability. You, in turn, fix the issue and compensate them for their time and effort.

Now this could be done with them directly or through a third party such as Bugcrowd or Hackerone. Look at the diagram below.

Bug Bounty Program diagram
  1. You create or run the program through a 3rd party.
  2. Researcher finds about your bug bounty program.
  3. Researcher finds a bug.
  4. Bug report is submitted.
  5. vulnerability is fixed.
  6. Researcher is paid for his report.
  7. Cycle starts anew

If you are a company then a bug bounty is great to have as it helps keep your network secure. If you are a researcher, this is a great way to help keep companies secure and make some extra spending money.