Why you need a Website Vulnerability Disclosure Policy

If you host a website, chances are you’re always vigilant about ensuring its security and protecting it from vulnerabilities.

Even with exhaustive measures in place to bolster website security, the daunting reality remains in that vulnerabilities may linger undetected. The mere contemplation of this truth haunts the dedicated individuals entrusted with the crucial task of safeguarding online platforms, leaving them restless and vigilant through the night.

Does the above resonate with you? This is something that is constantly on the forefront of my mind especially when our offerings on snapWONDERS is available across different mediums on the clearnet / web and dark web Tor and I2P.

What exactly is a Website Vulnerability?

A security vulnerability is a flaw or weakness in the design, implementation, operation or management or a product or service that could be exploited to compromise the confidentiality, integrity, or availability of data.

Website vulnerabilities can be located at various layers such as the application layer, network layer, and infrastructure layer. Common website vulnerabilities include SQL injection, XSS attacks, insecure file uploads, and vulnerable third-party plugins or add-ons, which can compromise data security.

What is a Vulnerability Disclosure Policy (VDP)?

In short, a vulnerability disclosure policy (VDP) is a set of guidelines and procedures that organisations put in place to address how security researchers and other external parties should report potential vulnerabilities in their systems or software. This policy outlines the process for reporting vulnerabilities, the expected timeline for fixes, and the measures that will be taken to protect the reporter’s identity and data.

Why should you have a Vulnerability Disclosure Policy?

There are several reasons why you should have a Vulnerability Policy but the major motivator for me to consider a Vulnerability Policy for the snapWONDERS website was mainly due to:

  • According to a study conducted by the National Cyber Security Centre (NCSC) in the United Kingdom, researchers were more likely to report vulnerabilities when organisations had a clear vulnerability disclosure policy in place. The study found that organisations with a vulnerability disclosure policy received an average of 23.3% more vulnerability reports compared to those without such a policy.
  • In addition, according to a study conducted by the Ponemon Institute, organisations with a vulnerability disclosure policy in place experience 75% faster resolution times for vulnerabilities compared to those without one. Additionally, companies with a structured vulnerability disclosure policy can fix vulnerabilities 30% more quickly than those without such a policy.

If your website was hacked, you would want to know about it as soon as possible. A VDP provides details on the process on how to be contacted, to how the vulnerability is going to be addressed.

Which Vulnerability Disclosure Policy should I use?

This is probably one of the most important aspects you would need to decide. Choosing the wrong policy may send out different messages to your customers, cyber community, and affect your branding.

The main ones are:

  1. Responsible Disclosure: Researchers report vulnerabilities to organisations first to fix them before public disclosure.
  2. Coordinated Disclosure: Working with organisations to fix vulnerabilities before public disclosure.
  3. Full Disclosure: Publicly disclosing vulnerabilities without giving organisations a chance to fix them first.
  4. No Disclosure: Some organisations choose not to disclose vulnerabilities.
  5. Internal Disclosure: Disclosing vulnerabilities internally to the organisation’s security team.
  6. Bug Bounty Programs: Rewarding researchers who report vulnerabilities through bug bounty programs.
  7. Legal Action: Organisations may take legal action against researchers who disclose vulnerabilities without permission.

How to Publish and Advise your Vulnerability Disclosure Policy?

If you have completed your Vulnerability Disclosure Policy and ready to publish the details on how researchers and others can report security vulnerabilities by completing these steps:

  • Create a “security.txt” text file that provides all the details such as contacts, location of your policy and other relevant information.
  • Place it on your website so that it is accessed via /.well-known/security.txt URL over https.

You can use the auto generator tool located at: https://securitytxt.org/ and populate all the fields need.

It is worth noting that the security. txt is a proposed Internet standard, RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116), which concisely advertises an entity’s vulnerability disclosure process.

The snapWONDERS security.txt looks like:

Contact: mailto:vdp@snapWONDERS.com
Contact: https://snapwonders.com/contact
Expires: 2026-04-30T14:00:00.000Z
Acknowledgments: https://snapwonders.com/vulnerability-disclosure-policy#section-10
Preferred-Languages: en
Canonical: https://snapwonders.com/.well-known/security.txt
Policy: https://snapwonders.com/vulnerability-disclosure-policy

After I published my VDP is that it?

Congratulations on getting your VDP out and this just marks the start of your journey in being vigilant towards security and protecting your website from vulnerabilities.

With so many ever-changing things happening in the world of IT, you would need to keep on top of these changes. So no, that is not “it”.

The good news is that if a security researcher and professionals should find vulnerabilities in your website, at least you’ve provided all the details to help facilitate the reporting of the vulnerability and the process you will take to action it.

Leave a Reply

Your email address will not be published. Required fields are marked *