Black Hat speaker Imran Parray (Founder and CEO at Snapsec) launched his career by reporting thousands of security vulnerabilities to companies via their security disclosure programs. Those companies included Google, Auth0, Typeform, and Hibob – and by helping them secure their networks, Parray gained both experience and a positive reputation among potential clients.
For fledgling ethical hackers looking for a way to establish themselves in the sector, this is a route that’s worth considering. You’ll finetune your skills, gain real-world knowledge and efficient strategies, and have the opportunity to build relationships with organisations at the same time.
What is a VDP?
A vulnerability disclosure program (VDP) is an organised framework that allows hackers to record and submit vulnerabilities to organisations – and encourages them to look for those vulnerabilities in the first place.
For the host organisation, VDPs support overall security posture by inviting ethical hackers to report vulnerabilities through a structured program, so the organisation can patch those vulnerabilities before malicious hackers exploit them.
Private and public sector organisations run VDPs that are managed by their internal security team or external security providers. A VDP must be built around a trusted methodology for receiving, assessing, and acting on vulnerability reports – so most programs prioritise reported vulnerabilities in terms of severity, and include a tracking system that shows the progress of remediation for each reported vulnerability.
What are the benefits for hackers?
Ethical hackers don’t get paid for reporting vulnerabilities via a VDP; the practice is sometimes described as a ‘neighbourhood watch’ system that provides a structured framework for everyone to look out for each other. But that doesn’t mean it’s an altruistic activity – hackers benefit from engaging in vulnerability disclosure programs in a number of ways, including:
Testing and improving your skills on the real-world attack surface (not a simulated environment).
Establish new relationships with organisations, or strengthen existing relationships – with the potential for future collaborations or work engagements.
Contributing to the strength of the overall cybersecurity community and knowing they’re helping to improve an organisation’s security posture.
Gaining recognition within the cybersecurity community itself for being active and effective at finding and disclosing vulnerabilities.
How do you find an organisation’s VDP?
Organisations with a vulnerability disclosure program will usually publish their vulnerability disclosure policy on their website. That policy will probably look something like this template from the CISA – detailing the organisation’s disclosure guidelines, the testing methods they will (and won’t) accept, how to report a vulnerability, and what you can expect in response.
Read each organisation’s policy in full, because they do vary. And then get involved; seek and disclose vulnerabilities for those organisations and use that work to lay the foundations for your career to grow.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!