Threat and Vulnerability Management

How a vulnerability disclosure policy lets hackers help you

In 2015, two US security researchers hacked a Chrysler Jeep as it sped down the highway, remotely sending commands to the dashboard through the car's entertainment system. They gained control of the steering, brakes, transmission, radio – even the windscreen wipers. Nobody was hurt; the researchers were merely demonstrating a security flaw to the slightly terrified Wired journalist behind the wheel. But their work led to the recall of 1.4 million Chrysler vehicles, and showed that the car industry needed to get serious about security flaws.

Roughly six months after the story was published, General Motors, in partnership with HackerOne, a bug bounty and disclosure portal provider, launched a vulnerability disclosure policy (VDP) in an effort to encourage ethical hackers to help them identify security flaws. “If you have information related to security vulnerabilities of General Motors products and services, we want to hear from you,” reads the page on HackerOne's platform. “Please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.”


How common is a vulnerability disclosure policy (VDP)?

This open-door approach to ethical hacking is still far from the norm. HackerOne's 2018 Hacker Report, which surveyed 1,698 members of the hacking community, found that almost one in four ethical hackers have not reported a vulnerability because the company in question doesn't have a VDP. Those who'd tried to notify the company through other channels, such as email or social media, also claimed they were “frequently ignored or misunderstood”.

The situation is slowly improving: 72 percent of the respondents in the report said companies were becoming more open to receiving information on vulnerabilities. But 94 percent of the Forbes Global 2000 still haven't published a VDP – something they may come to regret.

To continue reading...


« How can companies close the cybersecurity skills gap?


Security: Why does Southeast Asia lag behind? »
Duncan Jefferies

Duncan Jefferies is a London-based freelance journalist who writes about technology, digital culture and sustainability.

  • Mail

Recommended for You

Tech Cynic: VR, the never-popular technology

Tech Cynic – IT without the rose-tinted spectacles

Five months on, GDPR doubts remain for this lawyer

Martin Veitch's inside track on today’s tech trends

How can smart solutions help address Southeast Asia's urban challenges?

Keri Allan looks at the latest trends and technologies


Is your organization fully GDPR compliant?