HackerOne launches free tier for vulnerability disclosure program

HackerOne has unveiled Essential VDP, a complimentary, entry-level tier of its Vulnerability Disclosure Programme (VDP) product, HackerOne Response.

This new offering aims to assist organisations in establishing an open channel for third parties to report vulnerabilities directly to their team, helping them meet various compliance requirements and enhance cybersecurity practices.

Jason DeBord, Chief Information Security Officer for the Ohio Secretary of State, emphasised the significance of VDPs in security management. "Adopting a Vulnerability Disclosure Programme ensures that an organisation is prepared to handle security vulnerabilities effectively," DeBord stated. "Our VDP gives us a communication channel with security researchers so they can report vulnerabilities before bad actors find them."

Regulatory standards from multiple governments have started recognising the necessity of VDPs as an essential security measure. These include the National Institute of Standards and Technology (NIST) 800-53, the ISO 27001 standard, and the Product Security and Telecommunications Infrastructure Act (PSTI). These frameworks mandate the need for reliable and documented processes to handle security vulnerabilities.

Ilona Cohen, Chief Legal and Policy Officer at HackerOne, highlighted the widespread adoption of VDPs in the industry. "Thousands of leading organisations have already adopted, and continue to adopt, VDPs because they work. They are a proven and fundamental best practice that reduces cybersecurity risk," Cohen remarked. "Improving access to VDPs will make it easier for individual organisations to meet compliance standards and collectively improve the safety of the internet for everyone."

Essential VDP provides organisations that are new to vulnerability disclosure with a range of resources to set up a VDP on HackerOne's platform. This includes a guided onboarding experience, training, product documentation, support for templated disclosure guidelines, and integration with a HackerOne inbox for simplified vulnerability tracking and remediation. Additionally, the platform offers industry-leading policy guidance and best practices derived from thousands of programmes hosted on HackerOne.

Arthur Weibe, Site Reliability Engineer at ADAMnetworks, noted the operational benefits of using HackerOne's Essential VDP. "We found that handling reports via email was becoming difficult to manage," Weibe commented. "HackerOne Essential VDP resolves this issue by providing a structured way to track all reports from triage to resolution. We get better reports, and the team has better visibility."

The platform also provides in-platform attestation reports that help organisations address compliance requirements as proof of maintaining a VDP. This feature aims to assist organisations in their audit preparations and adherence to global compliance frameworks.

Currently, HackerOne supports numerous programmes for a variety of leading brands, including established VDPs for entities like The Ohio Secretary of State, Department of Defense, John Deere, and Adobe.