luke

Key Findings From The Hacker-Powered Security Report: Vulnerability Disclosure Policies (5 of 6)

Key Findings From The Hacker-Powered Security Report: Vulnerability Disclosure Policies (5 of 6)

<Note: This is the fifth in a six-part series expanding on the “key findings” of the Hacker-Powered Security Report 2017. Based on data gathered from over 800 hacker-powered security programs, plus surveys of both those managing the programs and the participating hackers, the report provides striking new insights to help more organizations understand and implement hacker-powered security.>

When someone finds a potential issue with your website, hardware, or software, you want to be notified. Having a vulnerability known to others, but unknown to you, is obviously risky. Giving the finder an easy and conspicuous means for alerting you is your path to safer and more secure products. So why then don’t most organizations have vulnerability disclosure policies?

Hacker-Powered Security Report Key Finding #5: Vulnerability Disclosure Policies.

The Hacker-Powered Security Report found that, despite recommendations from federal agencies, 94 percent of the top publicly-traded companies do not have known vulnerability disclosure policies (VDP). Ninety-four percent! What’s more worrisome is that number is unchanged from 2015, so companies aren’t taking advantage of this risk-reducing process for identifying security vulnerabilities.

It would be one thing if an obscure security organization recommended having a VDP. But, that’s far from the case. In fact, here are just a few of the federal agencies promoting VDPs:

But while VDPs are encouraged and sometimes mandated by federal agencies, it’s shocking to realize that nearly all companies are still without a public policy.

It’s also not “just a tech thing,” since some of the highest-profile breaches happened to decidedly non-tech companies including Target, Sony, and Home Depot. But other large enterprises are experiencing expensive and damaging breaches, highlighting the need to encourage disclosures. Just this past January, McDonald’s made the news precisely because it didn’t have a VDP.

And now, as the line between tech and everything else is being blurred, the need for VDPs is rapidly growing beyond just your corporate website. Companies are rolling out connected clothes washers, smart forks, connected window blinds — and those are just items for your home.

When you consider the level of connectedness coming to cars, drones, utilities, and industrial and agricultural equipment, the term “tech” becomes meaningless while the need for VDPs becomes ubiquitous. In other words, a VDP is table stakes for every company.

More companies are embracing hacker-powered security, however, and it all begins with a VDP. Panasonic has a VDP, as do major industry conglomerates like General Electric, Siemens, Honeywell International, ABB, and Philips. As you look more broadly, however, some awareness is required. Less than 15 percent of companies in each of the consumer financial services, automotive, and airline industries have VDPs. And Starbucks is the only restaurant on the Global 2000 with a VDP.

Stay tuned to our blog for more guidance on implementing a VDP at your organization and check back next week for our dive into the Hacker-Powered Security Report’s number six (and final) key finding: security vulnerabilities worry companies the most!


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook