Coordinated Vulnerability Disclosure

Whether or not you are obliged to implement a CVD policy depends if your company falls under one of the two categories: “essential operators” and “important operators.”  

Among the essential entities are: Energy, Transport, Finance, Public Administration, Health, Space, Water supply and Digital Infrastructure. And among important operators are: Postal Services, Waste Management, Chemicals Research, Foods Manufacturing and Digital Providers. You can check whether your company falls under the NIS2 directive here.

And if your company doesn’t fall under one of these categories – it is just a matter of time! So why not to start now?

A Penetration test, also known as a Pentest, is a very useful tool for assessing a system’s security, usually done by one or two testers. But Pentests are relatively costly, and because they go deep, they won’t be able to cover the entire scope and every aspect of the system. This is where a Coordinated Vulnerability Disclosure (CVD) policy can come in handy. By inviting a larger group of hackers with different areas of expertise, you can gather a wider range of information about potential vulnerabilities in the system. These reports can then be compiled and analyzed to see which areas of the system are at risk and require the most attention.

When it comes to Bug Bounty programs, they are essentially organized CVD events with extra motivators. CVD is a passive agreement which results in vulnerabilities being discovered and disclosed without punishment. Bug bounty programs, on the other hand, ask reporters to find vulnerabilities and get paid for reporting them, also without penalty. Also, a bug bounty program can bring in lots of vulnerability reports. The programs can be controlled in size, which deviates from the basic principle of CVD: CVD is public. The two programs go hand-in-hand.

One of the most important elements of vulnerability disclosure, and a challenge for the reporter, is understanding who to contact. Security.txt is an IETF Internet informational specification (RFC 9116) and it describes a text file that webmasters can host in the “/.well-known” directory of the domain root. It advertises the organisation’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability. Most of our clients have a link to their CVD policy under the security.txt, and the policy describes the do’s and don’t, as well as other useful information for the reporter.

Most CVD programs run forever. Because new bugs will pop up every day, and you want to be informed as quickly as possible right? You can even compare it with setting up an info@ email account for your company. If someone has any questions they’ll mail that and you will know. Well, if someone finds a bug, whenever, now you will know before the bad guys do!

After being involved in the hacker community for a lot of years, we know that these are the main reasons why they want to help organizations out there: 

1. Their data is in your systems as well. Or their friends or family data. And they like to have that protected from bad guys just as much as you do.
2. They like to show off their skills! The hacker mindset is to use their technical knowledge and curiosity to access your system and complete the puzzle! And no, they do not need your data, but they want to show you that they can, and maybe even get some reward or acknowledgement, as you are happy that another hole is fixed!

We think that it’s better to have a managed program in place, as this guarantees you and your team that you won’t be flooded with a lot of invalid reports, allowing you to focus on what matters most. But there are several benefits to having your CVD managed by Zerocopter:

Expertise: Our team of experienced hackers are experts in identifying and verifying vulnerabilities, guaranteeing that you get accurate and actionable reports.

Only valid insights: A triage team is crucial for evaluating the reports you receive. This is mainly because around 70% of submitted reports are often invalid. For example, many reports have either been reported before, are false positives, or are just incomplete. By having a triage team to validate and assess the completeness of your reports, you not only avoid becoming overwhelmed but, more importantly, reduce the risk of overlooking critical or severe vulnerabilities in the pile of reports.

Cost-effectiveness: Our managed CVD service is incredibly cost-effective and a great alternative to hiring a full-time security team or outsourcing to a traditional security firm.

Reputation: With Zerocopter’s reputation as a trusted and reputable provider of CVD services, you’ll be able to build trust with hackers and demonstrate your commitment to being secure.

Overall, having your CVD managed by Zerocopter will help to ensure that vulnerabilities are identified quickly and effectively, all while minimizing the risk of exploitation by malicious actors.

Scanners can find bugs, but certainly not all. And even if they could – let’s say you have all the scanners – business logic bugs will never be found by any scanner. You need hackers for that. And having a CVD policy in place will get them to help you as they feel it’s safe to report them!

After many years of managing CVD programs for our customers, we know that the biggest risk comes when you don’t communicate with the reporter. If you get a validated bug in, please respond to the reporter and say thanks. Keep the communication lines open. Inform them on the steps you are planning to take to fix the issue and keep them updated. Ignoring someone who helps you with good intentions and possibly saves you a lot of money and headache is not something that you should do. 

Also, make sure your team, or your external parties, are ready to fix bugs. If you start this without informing the stakeholders within your company, it is bound to fail. They need to have time allocated to fix these bugs as they are probably not on the roadmap.

You will mostly need fixing expertise, as we handle all the technical validations, advise where needed and even keep communication going. But you or your team needs to be able to fix the found issues, or if you can’t, take the appropriate actions to prevent this found issue from being exploited by the bad guys at some point.

Sometimes it happens and then you can decide to mark it as ‘won’t fix’. Our triage team does not work in your company, so they might not understand all the factors and circumstances, but please always explain why you don’t agree with the report. But technically then after the time has passed as set in the CVD guidelines [link] – a reporter is allowed to talk about the found issue in public. That can be fine, but again, the most important thing in this process is to communicate with the reporter and our triage team. We are here to help.

While it’s a valid concern, it’s highly unlikely. You might get some extra attention if you publish your CVD on our page, but we never experienced a server go down because of CVD implementation. We do get scanner reports, but most of the reporters who send them know us by now and won’t even try if they see that your CVD policy is handled by Zerocopter.

Yes, you can talk to them below the report, and also talk to triage if you want/need. That is, unless a reporter has chosen to report anonymously, then we have no way to contact them of course. 

Absolutely! You have the option to communicate with our hackers about their findings right on the report page. Even more, our hackers will happily answer any questions you might have and provide more information where needed. Transparency is important within the hacker community. However, if a hacker has chosen to report anonymously, then there is no opportunity to contact him/her.

A Coordinated Vulnerability Disclosure report has a reward amount of 0 euros by default, but we offer the possibility to assign a reward to a Coordinated Vulnerability Disclosure report. 

We will always encourage you to show your gratitude to the reporter one way or another, and one of the options could be to reward them. This will motivate them to continue testing your environments in the future.  In this case, the amount of the reward is completely up to you.

• yes, we pay the researchers and send monthly invoices to our clients with the paid bounties + 30% handling fee.