A Vulnerability Disclosure Program (VDP) has become a basic layer of security infrastructure, allowing organizations to receive vulnerability submissions from the general public. Although VDP is a basic provision, receiving vulnerabilities from public researchers outside of the Synack Red Team (SRT) requires thoughtful implementation and management. Good ethics and security expertise are a critical part of any VDP and you need a trusted partner that can give you the best advice.
High efficiency and ethical standards are built into the core of the Synack model. Synack’s managed approach gives the same thorough triage and analysis to every submission from the public as it does to those submissions from the SRT, and ensures that they are handled promptly and professionally.
Synack’s Disclose product is included at no additional cost as part of Synack’s annual crowdsourced penetration testing subscriptions.
Synack sets up the responsible disclosure program website for you and manages the program end to end. Here’s how it works:
We take on the end-to-end management of the program to alleviate your security team’s operational burden and provide you with the highest quality of service, including:
In November 2019, DHS CISA released a draft Binding Operational Directive (BOD) that seeks to establish a vulnerability disclosure program at every federal agency.
As a Synack Government customer, you can start your fully managed vulnerability disclosure program today. Our Crowdsourced Security Platform hosts managed vulnerability disclosure programs for all of our subscription customers at client.responsibledisclosure.com at no additional charge. See how these agencies are partnering with Synack for their VDP: