With a little help of 20.000 friends

 

Are you afraid of starting a vulnerability disclosure policy or bug bounty programme? You shouldn’t be! Quite the contrary, as Valéry Vander Geeten of the CCB and Stijn Jans of Intigriti made perfectly clear in their cybertalk. A ‘coordinated vulnerability disclosure policy’ (CVDP), supported by a bug bounty programme, provide perfect, even necessary complements to classic security measures (as e.g. pentesting). The advantages are many, as these initiatives provide a continuous testing effort by as many ‘researchers’ as you want (from a select group to a world wide community) in a controlled way (you determine the scope). Furthermore, rather than paying for ‘time spent on the job’, you only offer rewards for actual impactful vulnerabilities. As this will be new for many organizations, the CCB authored a guide about establishing a CVDP, while publishing such a policy of their own on their site.

Calling upon a partner as Intigriti to set up a ‘bug bounty’ programme can be a big help, as they provide you with a community of vetted researchers, and take care of a structured handling process (including advice, communication channel, validating claims, etc.). That leaves you as an organization free to focus on its internal process of mitigating those vulnerabilities.

Bluntly, CVDP and bug bounty programmes will not replace classic security measures, but may be regarded as absolutely necessary complements. Do consult this cybertalk to learn about the benefits and why these initiatives really are a must.



Andere blogposts

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.


Deel deze nuttige inhoud met vrienden: