How to Create a Vulnerability Disclosure Program for Crypto Business

Andrii Stepanov

Marketing Manager

7 Minutes Read

Updated:

Why crypto business needs a vulnerability disclosure program

Crypto businesses are always targeted by malicious hackers. The attackers look into places like your business website or smart contracts. When they find a critical vulnerability, they want to turn it into a jackpot. The most rewarding way is to exploit the bug, disappear, and hide all traces.

Crypto business owners are responsible for deterring hackers from causing financial & reputation blows. The most common approaches to this are vulnerability disclosure programs and bug bounties.

Also, the crypto industry is increasingly moving towards standardization to address security, regulatory, and interoperability challenges. This trend is driven by the need to build trust, ensure compliance with global regulations, and enhance the integration of diverse blockchain platforms. Here are some key aspects of this standardization.

Coordinated disclosure of vulnerabilities is a best practice recognized by many global standards.

the National Institute of Standards and Technology (NIST) in a 2023 directive (NIST SP 800-53 Rev. 5) requires SaaS vendors to establish a public channel for reporting vulnerabilities.
Similarly, ISO 29147 provides guidelines for vendors on disclosing vulnerabilities in their products and services.
Even The U.S. Department of Defense (DoD) utilizes VDP, established in 2016 by the Secretary of Defense
While ISO 27001 doesn’t require a VDP, it encourages organizations to adopt practices that support robust information security, including establishing mechanisms for reporting and managing vulnerabilities. More here.
The General Data Protection Regulation (GDPR) in the European Union requires organizations to report certain types of data breaches. Specifically under Article 33 of the GDPR.

What is a Vulnerability Disclosure Program (VDP)?

The vulnerability disclosure program (VDP) is a formalized process that allows individuals to report security vulnerabilities in a company’s products or services. It is an open invitation for anyone to submit potential security issues they discover.

VDP is a set of rules for ethical hackers to report on discovered bugs. It is typically manifested as a web page with info like:

Issues to report (in-scope, focus)
Issues to ignore (out-of-scope)
Targets (websites, apps, smart contracts, API)
Submission form
SLA (response, review and triage times)

VDP pages are meant to generate structured bug reports for the developers of your project. However, having a prepared flow for dealing with goodwill bug reports is not enough to incentivize hackers. Good VDP pages include the rules of their bug bounty.

What is a Bug Bounty Program?

A Bug Bounty Program is a specific type of VDP that incentivizes security researchers to find and report vulnerabilities by offering financial rewards or other forms of compensation.

The bug bounty is a crowd-sourced cybersecurity program. It incentivizes the hackers to come out of the shadows and get legally rewarded for their hard work. The bigger the reward per bug, the easier for a hacker to report it.

VDP & Bug Bounty Program Comparison

Incentives:

VDP: Typically offers recognition and gratitude.
Bug Bounty: Bug Bounty Programs provide monetary or other types of rewards to individuals who successfully report valid vulnerabilities and recognition.

Participants:

VDP: Open to the general public; however, the practical audience is often limited to individuals who are familiar with the project or the organization
Bug Bounty: Attracts a more professional and competitive crowd of security researchers since bug bounty platforms have extensive communities of skilled researchers actively participating in these programs.

Management:

VDP: Usually, VDP is managed internally without external help.
Bug Bounty: Often managed through specialized third-party platforms to handle submissions, rewards, and communication. But the internal team of the company also can triage reports by themself.

Focus:

VDP: Focuses on internal processes. VDPs are designed to create a formal mechanism for receiving and managing vulnerability reports from the public or specific stakeholders.
Bug Bounty: Bug Bounty programs are designed to incentivize continuous security research by offering financial rewards and recognition to researchers who discover and report vulnerabilities.

Security:

VDP: only the internal team of the company has access to the reports (if 3rd party doesn’t triage reports)
Bug Bounty: the triage team of the platform can have access to your reports. So if you need an extra layer of security check whether the platform provides end-to-end encryption of reports

How to create VDP for a crypto business

Define Objectives and Scope:

Delineate the boundaries of the VDP, determining whether it will encompass the entirety of the organization’s network infrastructure and data repositories, or only a select subset of critical assets.
Articulate the categories of vulnerabilities that fall within the program’s purview. For instance, explicitly exclude social engineering tactics and denial-of-service attacks if their potential to disrupt regular operations is deemed unacceptable.
Identify specific vulnerability assessment or penetration testing tools that could potentially destabilize the organization’s systems, and explicitly forbid their use within the policy framework.

Reporting Mechanisms:

Establish a robust framework for vulnerability reporting, specifying the type and detail of data necessary for a thorough evaluation. Reports may range from succinct descriptions of vulnerabilities to comprehensive submissions inclusive of exploit code.
Define clear protocols for the submission and handling of different proof types, with particular attention to the management of executable malware to mitigate security risks. Specify the acceptable formats and channels for such submissions.

Communication Channels:

Create a dedicated email account or a submission portal exclusively for vulnerability reports, ensuring it is accessible to all relevant personnel responsible for managing disclosures. Avoid reliance on personal email accounts. Adopt a standardized naming convention, such as “security@[organization].”
Develop and maintain a secure online form on the organization’s website to facilitate the submission of vulnerabilities, ensuring data integrity and confidentiality.

Incentives and Reporting Timeline:

Evaluate the feasibility of offering incentives, such as monetary rewards (bug bounties) or other forms of recognition and rewards (e.g., swag, public acknowledgment) to encourage participation in the VDP.
Recommend a clear timeline for the reporting of identified vulnerabilities, suggesting immediate disclosure upon discovery, or within a practical timeframe post-validation.

Accessibility and Promotion:

Ensure the VDP is readily accessible by prominently displaying the policy on the organization’s primary web pages.
Actively promote the VDP through strategic channels, including industry mailing lists, and press releases to relevant trade publications, to maximize visibility and engagement.

Examples of successful VDP

One of the most renowned self-hosted Vulnerability Disclosure Programs (VDPs) is Google’s. Google clearly defines the services and assets within the program’s scope and specifies the types of vulnerabilities that can be reported. This clarity helps security researchers, known as White Hats, understand the boundaries and expectations of the program.

Additionally, Google offers potential rewards for valid vulnerability reports, which vary based on the severity and impact of the identified issue. This incentivizes active participation and ensures prompt reporting and mitigation of vulnerabilities, thereby maintaining a strong security posture across Google’s extensive range of products and services

By maintaining a self-hosted VDP, Google exemplifies how large organizations can effectively manage vulnerability disclosures, fostering a culture of security awareness and continuous improvement.

How HackenProof can help with VDP?

HackenProof is a bug bounty platform where you can copy and paste your embedded VDP widget onto your website:

We provide all the functionality needed to launch a VDP and Bug Bounty from scratch and within a few hours.
By using HackenProof you can have VDP and Bug Bounty at the same time
We provide end-to-end encryption of incoming reports
We can help you establish a systematic process for receiving, managing, and addressing vulnerabilities effectively, ensuring compliance with industry standards and enhancing your organization’s security posture.

Check the detailed guide on how to create VDP on HackenProof on our documentation page