Synack's Managed Vulnerability Disclosure Program

A Vulnerability Disclosure Program (VDP) has become a basic layer of security infrastructure, allowing organizations to receive vulnerability submissions from the general public. Although VDP is a basic provision, receiving vulnerabilities from public researchers outside of the Synack Red Team (SRT) requires thoughtful implementation and management. Good ethics and security expertise are a critical part of any VDP and you need a trusted partner that can give you the best advice.

Synack sets up the responsible disclosure program website for you and manages the program end to end. Here’s how it works:

1. Once Synack publishes your VDP website, for example [yourorganizationname].responsibledisclosure.com, anyone can report a vulnerability or issue found in your application.
2. The Synack Operations team will triage the submission for validity, collaborating with the researcher as necessary. If valid, the vulnerability will be reported to you in the Synack Portal.
3. Synack will direct the researcher not to disclose the details of the vulnerability publicly until it has been remediated.
4. Once the vulnerability is remediated, Synack will confirm the fix and close the loop with the researcher, thanking them for their submission and authorizing them to disclose the vulnerability publicly. Researchers can track the status of all their submissions on your organization's VDP website.
5. The researcher will be listed on your organization's VDP acknowledgments page along with the vulnerability category and CVSS score. No monetary compensation will be provided to the researcher. Monetary incentives are only provided as part of controlled penetration testing engagements with the vetted Synack Red Team.

We take on the end-to-end management of the program to alleviate your security team’s operational burden and provide you with the highest quality of service, including:

• Triage Services & Noise Removal: Complete triage for every vulnerability submission (including validation and thorough analysis) and vulnerability remediation
• End-to-end Expertise: Oversight of the full life cycle of the vulnerability, from discovery to remediation, drawing on years of experience and thousands of security programs
• Researcher Management: Managed researcher communications, support, report acknowledgement, and recognition
• Vulnerability Management: Oversee your penetration testing and vulnerability disclosure programs in Synack’s integrated platform
• Researcher Expertise: Harness the security community’s global and specialized expertise through providing a means for them to test publicly accessible targets.

• Provide a customizable VDP template to host on the client’s public-facing website
• Assist client in program implementation and scoping
• Manage registration and ongoing communication with researchers
• Triage and hand off valid vulnerabilities to client
• Verify vulnerability remediation after the client has confirmed patching
• Maintain the researcher recognition program

• Develop and host content which directs researchers to client.responsibledisclosure.com and covers the program scope
• Review vulnerabilities that Synack has determined to be valid
• Patch and confirm fixes with Synack

• Perform testing activities within legal terms and program scope
• Input submissions to responsibledisclosure.com
• Disclose only when given confirmation from Synack

In November 2019, DHS CISA released a draft Binding Operational Directive (BOD) that seeks to establish a vulnerability disclosure program at every federal agency.

As a Synack Government customer, you can start your fully managed vulnerability disclosure program today. Our premier security testing platform hosts managed vulnerability disclosure programs for all of our subscription customers at client.responsibledisclosure.com at no additional charge.