Last Spring, an interim CISO at a small bank posed a question I stuck within a report: “If you have your bug bounty scope set to production not staging, and you have real data not test data then anytime [a security researcher] finds something that allows them to dump data,” do you have a reporting event?

His answer: Yes. (Unless of course an organization has scoped their policy correctly. Surprise, most have not.)

However, the National Cyber Security Centre -- which, if you couldn’t guess because of the spelling, is part of the British GCHQ -- has come to a different conclusion:

"A vulnerability disclosure is not in itself an incident. However, when a vulnerability is used in an attack, it is an incident. This means that if an unpatched vulnerability gets publicised (sic), it could become an incident. Therefore, having a mature and coordinated vulnerability disclosure process helps decrease the risk of an incident occurring."

NCSC Blog Post: NCSC vulnerability disclosure co-ordination
Related Javelin, Blog Post: Can Crowd-Sourced Security Vendors Build Trust with Banks?
Related Report: Bug Bounties: Overcoming Fears, Finding Solutions

Many bankers would most likely agree -- with the second half of the statement, at least. 

Fears around unauthorized vulnerability disclosure – and what that means for the products, services, and ultimately customers an FI supports – are a major obstacle for FIs even considering a program anything like the pilot the British government launched.

This all might be unsatisfying for my interim CISO friend. I suspect – in fact, I know – he still worries about the side-effects of vulnerability disclosure. Especially, when cash incentives outweighing average developer salaries are added to the mix. Read: $100,000-plus bug bounties


Author

About Sean Sposito

Sean Sposito is an analyst in the fraud & security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!