Javelin Strategy & Research’s new report reveals interest and concerns with vulnerability disclosure policies, bug bounty programs and crowd-sourced penetration testing
San Francisco, CA, May 3, 2018: Security professionals at financial institutions are receptive to programs that guide independent researchers who find harmful security vulnerabilities in their firm’s online products and services, according to a new report by Javelin Strategy & Research, titled Bug Bounties: Overcoming Fears, Finding Solutions.
These vulnerability disclosure policies (VDPs) are becoming the standard for modern security programs. The report shows a third of engineers, IT managers, and other stakeholders surveyed – those whose chief concern is software or hardware vulnerabilities – say their FI maintains such a policy.
“Regulators may be leaning on companies to adopt VDPs while discouraging the implementation of public bug bounties – which incentivize disclosure with monetary rewards,” said Al Pascual, SVP Research and Head of Fraud & Security at Javelin Strategy & Research. “Some security professionals may not want to adopt these programs because data-breach notification laws may apply when independent security researchers are actively probing their systems.”