This is a quick post on what a vulnerability disclosure program. I will explain it in more detail later on.
A vulnerability disclosure program, also known as a bug bounty, is a program in which a company allows independent researchers to report vulnerabilities to the interested the company.
To put it in other words. You own a company, a security researcher approaches you. He lets you know of a potentially dangerous vulnerability. You, in turn, fix the issue and compensate them for their time and effort.
Now this could be done with them directly or through a third party such as Bugcrowd or Hackerone. Look at the diagram below.
- You create or run the program through a 3rd party.
- Researcher finds about your bug bounty program.
- Researcher finds a bug.
- Bug report is submitted.
- vulnerability is fixed.
- Researcher is paid for his report.
- Cycle starts anew
If you are a company then a bug bounty is great to have as it helps keep your network secure. If you are a researcher, this is a great way to help keep companies secure and make some extra spending money.