Responsible Disclosure


Responsible disclosure is a great way to test your assets using multiple perspectives and different methodologies. This Working Session will explore creating and managing responsible disclosure programmes.

What

  • Pros and cons of setting up a responsible disclosure programme
  • Checklists to keep in mind before starting a programme
  • Responsible Disclosure legal framework accepted EU/country wide
    • Protect Researchers
    • Protect organisation’s key assets and NDA policy
  • Understanding important third-party players and their key services
  • How to benefit best from a responsible disclosure programme
  • Success stories
  • What is the future of responsible disclosure?

Outcomes

  • Checklists to keep in mind before starting a programme
  • Responsible Disclosure legal framework accepted EU/country wide

Synopsis and Takeways

  • Level one consists of “Creating an email address for communication (vulnerablilty report submissions)”, “Designated Person for the response” and “Publishing the contact details for responsible disclosure (Social channels or through the web page)”.
  • Level two conists of “Rewards or kudos awarded for valid submissions”, “Published the validation timelines”, “Ability to triage” and “Ability to fix the issues”.
  • Level three conists of “Credibility of the program within the security community”, “Published the reward values”, “Published the remediation timelines” and “Published end to end process”.
  • These questions are answered with “Yes” or “No” questions, in addition, comments can be made if needed.
  • After collaborating with participants the “OWASP Responsible Disclosure Maturity Model Survey” was conceived

Survey Images:

survey 1

survey 2

Who

The target audience for this Working Session is:

  • Leading bug bounty hunters
  • Companies with mature bug bounty programmes (self-managed)
  • Third party leaders in managed bug bounties

Working materials

  • Draft checklists to keep in mind before starting a programme
  • Draft Responsible Disclosure legal framework accepted EU/country wide
  • Please add as much information as possible before the sessions

Content

… Add content …



Back to list of all Working Sessions and Tracks

Edit this page here