Last Spring, an interim CISO at a small bank posed a question I stuck within a report: “If you have your bug bounty scope set to production not staging, and you have real data not test data then anytime [a security researcher] finds something that allows them to dump data,” do you have a reporting event?
His answer: Yes. (Unless of course an organization has scoped their policy correctly. Surprise, most have not.)
However, the National Cyber Security Centre -- which, if you couldn’t guess because of the spelling, is part of the British GCHQ -- has come to a different conclusion:
"A vulnerability disclosure is not in itself an incident. However, when a vulnerability is used in an attack, it is an incident. This means that if an unpatched vulnerability gets publicised (sic), it could become an incident. Therefore, having a mature and coordinated vulnerability disclosure process helps decrease the risk of an incident occurring."
NCSC Blog Post: NCSC vulnerability disclosure co-ordination
Related Javelin, Blog Post: Can Crowd-Sourced Security Vendors Build Trust with Banks?
Related Report: Bug Bounties: Overcoming Fears, Finding Solutions
Many bankers would most likely agree -- with the second half of the statement, at least.
Fears around unauthorized vulnerability disclosure – and what that means for the products, services, and ultimately customers an FI supports – are a major obstacle for FIs even considering a program anything like the pilot the British government launched.
This all might be unsatisfying for my interim CISO friend. I suspect – in fact, I know – he still worries about the side-effects of vulnerability disclosure. Especially, when cash incentives outweighing average developer salaries are added to the mix. Read: $100,000-plus bug bounties.