In the application security world, we are all familiar with the BSIMM Maturity Model for determining what areas you need to invest in for application security. Katie Moussouris, Chief Policy Officer at HackerOne, has created a maturity model for vulnerability disclosures. We aren’t talking about a model to determine your preparedness for a public vulnerability disclosure, like Heartbleed. She is talking about when an independent security researcher from outside your company lets you know he or she found a vulnerability in your product.
Katie has some serious street cred on this issue, as she helped create Microsoft’s bug bounty program – something they swore they would never do. But sadly, 94% of companies don’t have a policy or process for what to do when they are approached with a vulnerability. Some even threaten the “hacker” with legal action! Which, if you think about it, is crazy. They aren’t extorting you, they are letting you know they found a vulnerability and you should fix it.
Katie went through her maturity model in depth, which includes 5 components: communication, analytics, engineering, incentive, organizational. Each has a three-point scale that is well defined and measurable.
The model is great for helping you determine how strong your program is. But why should you have a program in the first place? From my point of view, it is simple. As Katie said in her presentation, you should always strive to find all vulnerabilities using internal resources, but you won’t catch everything. So why discourage researchers from letting you know about the vulnerabilities?
We already know there are a lot of “bad actors” out there trying to penetrate systems, and many do it through software vulnerabilities. There is a dark web or underground Internet economy where vulnerability information can be sold. If we make it undesirable for these white-hat hackers to work with businesses when they find vulnerabilities, they will monetize their skills in some other way – turning to cybercrime. Now, one may argue that they could just not look. But that is not in the nature of the hacker. I say, let’s harness this power and thank those who are trying to help make the Internet a safer place.