How a vulnerability disclosure policy lets hackers help you
Threat and Vulnerability Management

How a vulnerability disclosure policy lets hackers help you

In 2015, two US security researchers hacked a Chrysler Jeep as it sped down the highway, remotely sending commands to the dashboard through the car's entertainment system. They gained control of the steering, brakes, transmission, radio – even the windscreen wipers. Nobody was hurt; the researchers were merely demonstrating a security flaw to the slightly terrified Wired journalist behind the wheel. But their work led to the recall of 1.4 million Chrysler vehicles, and showed that the car industry needed to get serious about security flaws.

Roughly six months after the story was published, General Motors, in partnership with HackerOne, a bug bounty and disclosure portal provider, launched a vulnerability disclosure policy (VDP) in an effort to encourage ethical hackers to help them identify security flaws. “If you have information related to security vulnerabilities of General Motors products and services, we want to hear from you,” reads the page on HackerOne's platform. “Please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.”


How common is a vulnerability disclosure policy (VDP)?

This open-door approach to ethical hacking is still far from the norm. HackerOne's 2018 Hacker Report, which surveyed 1,698 members of the hacking community, found that almost one in four ethical hackers have not reported a vulnerability because the company in question doesn't have a VDP. Those who'd tried to notify the company through other channels, such as email or social media, also claimed they were “frequently ignored or misunderstood”.

The situation is slowly improving: 72 percent of the respondents in the report said companies were becoming more open to receiving information on vulnerabilities. But 94 percent of the Forbes Global 2000 still haven't published a VDP – something they may come to regret.

To continue reading...

Please login or register to view your article. If you do not have or do not remember your password, please click on the “Forgotten your password?” link at the bottom.
If you do not yet have a password but are an existing user, please use the “Forgotten your password?


«Security: Why does Southeast Asia lag behind?


How can companies close the cybersecurity skills gap?»
Duncan Jefferies

Duncan Jefferies is a London-based freelance journalist who writes about technology, digital culture and sustainability.

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



If it were legal, would your organization hack back?