Rob Behnke
May 10th, 2023
Vulnerability disclosure programs (VDPs) and bug bounty programs are common approaches to implementing “crowdsourced security”. In crowdsourced security, organizations invite a group of individuals (“a crowd”) to uncover vulnerabilities in applications. Bug bounty programs and VDPs are useful in this context because they enable companies to accept vulnerability reports from third parties, like researchers and ethical hackers.
This doesn’t mean the two are one and the same, however. Bug bounties and VDPs adopt different approaches to vulnerability management and have unique use cases. For Web3 projects and companies faced with launching a bug bounty or establishing a VDP, knowing the differences can help with making informed decisions.
This guide will provide a brief definition and overview of VDPs and bug bounties before discussing their differences. We’ll also provide recommendations on which vulnerability management approach—VDP or bug bounty—to choose based on various factors.
A vulnerability disclosure program (VDP) establishes a reliable framework for reporting vulnerabilities found in a company’s software, assets, or digital infrastructure. The vulnerability disclosure policy outlines an organization’s approach toward vulnerability discovery and disclosure and often includes the following details:
Brand statement: The company’s official statement explaining its commitment to security and goals for the vulnerability disclosure program.
Scope: A description of assets hackers are allowed to test and, sometimes, the types of vulnerabilities valid for consideration.
Guidelines: Rules guiding the vulnerability discovery and disclosure process, such as what and what not to do when testing systems for bugs.
Processes: Details on how the company should be notified of vulnerabilities and what to expect concerning communication and remediation timelines.
Safe harbor: A promise to avoid legal action against security researchers that follow due process when finding and submitting bugs.
By establishing a VDP, companies make it easy for anyone stumbling on a vulnerability to report it and enable prompt remediation. This is important because individuals who discover vulnerabilities may hesitate to notify application developers for fear of legal action. Besides, lack of a formal method for submitting vulnerability reports could discourage finders from alerting organizations about known vulnerabilities.
A VDP establishes the terms of an organization’s relationship with members of the security community and communicates to users and partners that it takes security seriously. It also fosters better collaboration between a company and individuals interested in helping it find vulnerabilities before malicious actors do.
VDPs can be public (anyone can report software bugs) or private (only pre-approved parties like vendors or partners can disclose bugs). While public VDPs are common, some organizations may prefer a private VDP—for example, if there are concerns around confidentiality or lack of resources to handle submissions.
A bug bounty is a financial reward companies offer to ethical hackers and security researchers in exchange for responsibly disclosing bugs in software products. Bug bounty payouts correlate to the severity of identified vulnerabilities, with the most critical bugs attracting higher bounties.
Like VDPs, bug bounty programs have a defined scope and rules guiding the process of detecting and reporting vulnerabilities. They also include protection for bug hunters from lawsuits and provide secure channels for submitting vulnerability information to affected companies.
A public bug bounty is similar to a public VDP where anyone interested can volunteer information about vulnerabilities. With a private bug bounty program, only individuals authorized by the organization can test assets/applications and report issues.
Differences between a VDP and a bug bounty program
Bug bounties pay out cash for vulnerabilities discovered in a company’s software. For example, a DeFi project may offer cash rewards for finding bugs in its smart contracts. This provides a financial incentive for hackers—who could otherwise exploit a vulnerability— to report the problem to application developers.
VDPs rarely offer rewards for bug submissions and require individuals to disclose vulnerabilities out of “good faith”. Even so, VDPs still attract participation because they provide recognition (participants are usually allowed to publicly disclose details of a vulnerability). In contrast, bug bounty programs may preclude that through a non-disclosure agreement (NDA).
A vulnerability disclosure program is usually self-managed, although it could be coordinated via a third-party service. Companies will usually put up the vulnerability disclosure policy on a website and provide a secure form or email address (ours is disclosures@halborn.com) for researchers to submit bug reports.
Due to the complexity of bug bounties, companies often outsource the management of bounty programs to third-party platforms like YesWeHack, Synack, and Bugcrowd. This often reduces administrative overhead for organizations and saves valuable time and effort (as opposed to a self-managed VDP).
A VDP is cheaper to run compared to a bug bounty program on average. If vulnerability disclosures don’t attract any kind of monetary reward, then investment in personnel would be the biggest cost of running a VDP. For example, you’ll need someone to receive and triage vulnerability reports and handle communications with submitters.
Bug bounty programs often require a higher investment: in addition to investing in necessary manpower, you need funds to pay for bug submissions. Bug bounty platforms can reduce administrative overhead—for example, by providing triage teams—but charge a fee for this service.
VDPs usually have a broader scope than bug bounties, which makes sense since the client doesn’t pay for vulnerabilities. In contrast, a company may restrict the scope of bug bounties to testing “critical infrastructure” (ie. important applications and assets) for severe vulnerabilities.
To put it another way, a VDP provides more coverage while a bug bounty program encourages more targeted testing. Hence, VDPs are often required for compliance purposes whereas running a bug bounty is up to the organization.
Except for private programs, VDPs are open to any party with information about a bug in a project’s software (or smart contracts). This could include ethical hackers, security researchers, partners, or even end-users that notice bugs in the app.
Public bug bounties typically attract individuals from the wider hacker community to compete in finding the most bugs. But an organization may prefer hackers with specific skills and backgrounds—which is where private bug bounties come in. In this case, the bug bounty platform matches the company with hackers that meet qualifications after vetting them.
A VDP is a passive approach to cybersecurity that encourages third parties to share information about software errors with development teams. In colloquial terms, a VDP is described as the “see something, say something” of cybersecurity.
Bug bounty programs actively encourage researchers to simulate attacks on a company’s assets and expose potential security weaknesses. This is an active approach often adopted by companies that want to proactively secure platforms and safeguard users.
VDPs and bug bounties aim to gather third-party information about bugs in software systems. Without a VDP or bug bounty, organizations have no clear means of receiving vulnerability reports from concerned individuals. Thus a minimum requirement for security is to have either an active bug bounty or an established VDP (or both) in place.
Incentives are the most important distinction between VDPs and bug bounties. While VDPs rely on recognition and altruism, bug bounty programs motivate bug submissions through monetary rewards. Bug bounties also differ in terms of their scope, cost, structure, access to talent, and approach to mitigating vulnerabilities.
Should you start a bounty program or create a vulnerability disclosure policy? That depends on several factors, including your Web3 company’s security goals, internal resources (financial and human), and overall attack surface. Your organization’s experience with collaborating with third parties on security issues will also determine if a private or public VDP or bug bounty is best.
We should note that crowdsourced security is only one part of a comprehensive security strategy that also includes traditional methods like advanced penetration testing and smart contract auditing.
Contact the Halborn team today for more information on how we can help keep your Web3 project safe.