Synack’s Managed Vulnerability Disclosure Program

Why Choose a Managed Vulnerability Disclosure Program?

A Vulnerability Disclosure Program (VDP) has become a basic layer of security infrastructure, allowing organizations to receive vulnerability submissions from the general public. Although VDP is a basic provision, receiving vulnerabilities from public researchers outside of the Synack Red Team (SRT) requires thoughtful implementation and management. Good ethics and security expertise are a critical part of any VDP and you need a trusted partner that can give you the best advice.

Synack Computer Shield Graphic

The Synack Difference

High efficiency and ethical standards are built into the core of the Synack model. Synack’s managed approach gives the same thorough triage and analysis to every submission from the public as it does to those submissions from the SRT, and ensures that they are handled promptly and professionally.

Synack’s Disclose product is included at no additional cost as part of Synack’s annual crowdsourced penetration testing subscriptions.

How Disclose Works

Synack sets up the responsible disclosure program website for you and manages the program end to end. Here’s how it works:

  1. Once Synack publishes your VDP website, for example [yourorganizationname].responsibledisclosure.com, anyone can report a vulnerability or issue found in your application.
  2. The Synack Operations team will triage the submission for validity, collaborating with the researcher as necessary. If valid, the vulnerability will be reported to you in the Synack Portal.
  3. Synack will direct the researcher not to disclose the details of the vulnerability publicly until it has been remediated.
  4. Once the vulnerability is remediated, Synack will confirm the fix and close the loop with the researcher, thanking them for their submission and authorizing them to disclose the vulnerability publicly. Researchers can track the status of all their submissions on your organization's VDP website.
  5. The researcher will be listed on your organization's VDP acknowledgments page along with the vulnerability category and CVSS score. No monetary compensation will be provided to the researcher. Monetary incentives are only provided as part of controlled crowdsourced penetration testing engagements with the vetted Synack Red Team.

Synack Disclose Benefits

We take on the end-to-end management of the program to alleviate your security team’s operational burden and provide you with the highest quality of service, including:

  • Triage Services & Noise Removal: Complete triage for every vulnerability submission (including validation and thorough analysis) and vulnerability remediation
  • End-to-end Expertise: Oversight of the full life cycle of the vulnerability, from discovery to remediation, drawing on years of experience and thousands of crowdsourced security programs
  • Researcher Management: Managed researcher communications, support, report acknowledgement, and recognition
  • Vulnerability Management: Oversee your penetration testing and vulnerability disclosure programs in Synack’s integrated platform
  • Researcher Expertise: Harness the security community’s global and specialized expertise through providing a means for them to test publicly accessible targets.

SYNACK WILL...

  • Provide a customizable VDP template to host on the client’s public-facing website
  • Assist client in program implementation and scoping
  • Manage registration and ongoing communication with researchers
  • Triage and hand off valid vulnerabilities to client
  • Verify vulnerability remediation after the client has confirmed patching
  • Maintain the researcher recognition program

CUSTOMER WILL...

  • Develop and host content which directs researchers to client.responsibledisclosure.com and covers the program scope
  • Review vulnerabilities that Synack has determined to be valid
  • Patch and confirm fixes with Synack

RESEARCHER WILL...

  • Perform testing activities within legal terms and program scope
  • Input submissions to responsibledisclosure.com
  • Disclose only when given confirmation from Synack

How Synack Can Help Your Government Agency Comply with CISA BOD 20-01

In November 2019, DHS CISA released a draft Binding Operational Directive (BOD) that seeks to establish a vulnerability disclosure program at every federal agency.

As a Synack Government customer, you can start your fully managed vulnerability disclosure program today. Our Crowdsourced Security Platform hosts managed vulnerability disclosure programs for all of our subscription customers at client.responsibledisclosure.com at no additional charge. See how these agencies are partnering with Synack for their VDP:

Additional Resources
Learn more about Synack Disclose

Product Overview

Learn More
Explore the Synack Crowdsourced Security Platform

Product Demo Videos

Watch Now
Read the Takeaways from Synack’s Federal VDP Roundtable

Blog

Learn More