Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Coordinated Vulnerability Disclosure (CVD) programmes leverage a global network of independent security researchers (hackers) to support pre- and post-deployment security. Organisations are increasingly adopting Bug Bounty Programmes (BBPs) and Vulnerability Disclosure Programmes (VDPs) to outsource work from internal security teams, and are able to utilise the results from a programme to help shape their Software Development Life Cycle (SDLC) processes. Motivated by the question How effectively are organisations utilising CVD programmes?, we aim to address two issues concerning the operation of CVD programmes. First, it is necessary to identify the pre- and post-launch issues faced by programme operators that inhibit effective operation. Second, organisations stand to benefit if they are able to use the results of a CVD programme outside of the typical reporting-triaging information flow between a hacker and the operator. As such, it is useful to explore how the results of a CVD programme influence change across the SDLCs of real-world organisations and measure the extent to which this occurs. We report upon the results of a qualitative study based on the outcomes of 39 survey responses and eight semi-structured interviews with individuals involved in the operation of CVD programmes. It is found that the fears and issues faced by organisations are similar to those identified in earlier studies, suggesting that there has been little development in preventing prevalent problems faced by CVD programme operators. High volumes of low-quality, low-value reports still burden operators and consume resources. It is also found that organisations use the information contained within vulnerability reports to influence change in a number of security activities, namely testing, communication processes, and the specification of security requirements. Finally, based on the responses from the surveys and interviews, we provide recommendations to those looking to establish a CVD programme.