IssuHunt VDP, which provides everything from setting up a vulnerability reporting desk to proposing modifications.
Get Started Free
Why do we need a reporting desk?
It is not uncommon for vulnerabilities in web services to be discovered by external parties. However, even if a third party finds a vulnerability by accident if there is no contact point to report the vulnerability, the report cannot be accepted, and the risk of a cyber attack increases.
Even if you find it, there is no reporting window...
Even if you find it, there is no reporting window...
Even if you find it, there is no reporting window...
General info about VDP
IssueHunt VDP is based on the functional requirements of the Vulnerability Disclosure Program, a common vulnerability acceptance mechanism in the United States. With IssueHunt VDP, you can implement the security measures the U.S. government practices without any hassle.
System vulnerabilities can lead to cyber-attacks by malicious hackers if companies do not act. However, receiving reports before such an attack occurs prevents the cyber attack from occurring.
All the functions required for VDP, like creating and installing vulnerability-specific forms, messaging and acknowledging the reporter, and disclosing the vulnerability, can be implemented.
The reports received are stored in a dashboard to visualize the information. As a result, data can be aggregated even when the security team is working across multiple departments.
By posting an acknowledgment to the reporter, there is an expectation of a positive reception from the engineering community. It would affect your corporate branding and recruitment.
Operate on behalf of the company.
If there is no one in your company with security expertise or your security team is too busy, our support team can operate on your behalf. We assign a dedicated manager to each customer and work closely with the customer's development team to support operations as if they were a team member.
Rate Structure
IssueHunt VDP is free to get started. Prevent cyber attacks and information leaks.
This is an easy-to-start plan for companies that want to try VDP for the first time.
This plan is for companies that want corporate support and implementation assistance.
The U.S. Department of Homeland Security (CISA: Cybersecurity and Infrastructure Security Agency) has issued a statement requiring U.S. federal agencies to implement VDP. In addition, NIST SP 800-53 Rev5, a security guideline for U.S. government agencies, recommends that private companies implement VDP too.
Some people who discover vulnerabilities do not report them due to concerns about legal risks. As a result, vulnerabilities that could have been promptly remedied are left unattended, and the risk of information leakage remains. By setting up a VDP and showing that the company accepts vulnerability reports, vulnerability discoverers can confidently report vulnerabilities.
No, you don't. However, disclosing vulnerabilities after they have been remediated has various advantages, such as reducing communication costs to customers and partners and leading to the hiring of security engineers.
No, you don't. The VDP is a window to receive vulnerability reports and is very different from a bug bounty program where bounty payment is a prerequisite. We have heard from some of our customers that they are troubled by vulnerability reports from hackers in the wild and that they are always asked for bounty payments. This is also effective as a means to respond to such reports.
