Due to the nature of the application, DarkHorse is not optimized for mobile devices. Please view it on a desktop or tablet for the best experience.
VDPs
(Vulnerability Disclosure Programs)FAQs
(if you have other questions, feel free to reach out at anytime to info[at]darkhorse.sh)
What is a VDP?
A VDP is a formal mechanism by which parties can responsibly report security issues to the organization that owns the asset in which the security risk is identified.
For example: if, while using an application, I notice that there appears to be a SQL Injection vulnerability on the application (by way of seeing an error that says "incorrect syntax near", or something to that effect), I would then want to report that responsibly to the organization who owns that asset.
HOWEVER...
Many, many, many organizations don't have a way to responsibly report those issues. And even fewer have good tooling to help manage those reports. This is where we come in. In many cases, these reports are managed by email and a spreadsheet, and the DarkHorse platform offers an affordable, scalable way to manage those reports - making it easier to receive, action, and remediate issues, reducing your risk along the way.
For example: if, while using an application, I notice that there appears to be a SQL Injection vulnerability on the application (by way of seeing an error that says "incorrect syntax near", or something to that effect), I would then want to report that responsibly to the organization who owns that asset.
HOWEVER...
Many, many, many organizations don't have a way to responsibly report those issues. And even fewer have good tooling to help manage those reports. This is where we come in. In many cases, these reports are managed by email and a spreadsheet, and the DarkHorse platform offers an affordable, scalable way to manage those reports - making it easier to receive, action, and remediate issues, reducing your risk along the way.
It sounds like I could just do this on my own? Why use DarkHorse?
It's true, you could do this on your own - and one could also build a house using no power tools. It's absolutely possible, we just make it a whole lot easier to ingest the information and to process it - all of which leads to a quicker resolution. If you prefer to run a VDP via an email and spreadsheet, there's nothing inherently wrong with that - we've just built a platform that can help, and tried to make it affordable, so that nobody has a reason to not have a VDP, ever again.
Additionally, though DarkHorse is new to the scene, in the coming months we'll be unveiling SDLC integrations (Jira, etc) for upstreaming findings. Additionally, DarkHorse has a numbe of other product lines that can add to your security program (bug bounty, pentesting, etc) In this way, DarkHorse can become your single pane of glass for all your offensive security vulnerabilities - pentest, bug bounty, and VDP... one more way to make your life just a little easier.
Additionally, though DarkHorse is new to the scene, in the coming months we'll be unveiling SDLC integrations (Jira, etc) for upstreaming findings. Additionally, DarkHorse has a numbe of other product lines that can add to your security program (bug bounty, pentesting, etc) In this way, DarkHorse can become your single pane of glass for all your offensive security vulnerabilities - pentest, bug bounty, and VDP... one more way to make your life just a little easier.
Is this inviting people to hack me?
No. You are simply inviting people to responsibly report security issues to you. In some cases, running a VDP does cause an influx of reports (such as when running a public VDP), as some individuals may be encouraged by the presence of a VDP to practice their ability to identify security issues, etc. However, this isn't cause for alarm - if anything, it's a cause for celebration, as these persons are doing the work pro-bono... providing an extremely valuable service, at no additional cost.
I think I'll get more than 25 reports per year... what will this cost?
Not much. If you expect 100 or fewer reports per year, your annual cost would be about a dollar per day. We've really done everything we can to make this as automated as possible, so that we can (1) give it away for low-use organizations; and (2) charge the lowest rates on the market to make it affordable to everyone. Our rate for VDPs is a mere $3 per report - which is significantly cheaper than any other option on the market right now.
What if I don't want my VDP to visible to everyone?
We've got you covered. For organizations that don't want a public VDP, there's the option to have an embedded submission form - which is simply our submission form that you can embed on your website. This allows you to use all the advantages of a platform-driven approach to running a VDP, but also not have it be openly advertised on "The List" page.
Additionally, if you want the extra formatting and display styles of running a public VDP, but don't want your program listed on "The List" page, we also have an "unlisted" option, that lets you link out to your program, but it won't show up on /theList. Whatever your goals and needs are, we've got you covered.
Additionally, if you want the extra formatting and display styles of running a public VDP, but don't want your program listed on "The List" page, we also have an "unlisted" option, that lets you link out to your program, but it won't show up on /theList. Whatever your goals and needs are, we've got you covered.
What is self-managed vs. managed vs. platform-managed?
A self-managed program is one where you manage all the aspects of the program by yourself. This could be as extensive as not using a platform at all, or even using a platform, but not getting any support in terms of how the program should be managed. You kind of just have to figure it out for yourself. There is one platform where this is pretty common.
A managed program is one where the services teams at the platform provider add an additional layer of human-based guidance and support throughout the sales, onboarding, triage, support, and day-to-day operations. However, quality and consistency can be lacking, since you have a wide range of individuals touching the account. Additionally, all of these persons and the services they provide are wrapped up into a much higher average cost, even if they provide little-to-no value.
A platform-managed program is one that takes all that the best humans know about running a program successfully, and then makes it programmatic. Instead of having to pay for the costs of (and this is not hyperbole) an Account Executive, Sales Engineer, Business Development Representative, Account Manager, Technical Customer Success Manager, Onboarding Engineer, Solutions Architect, Support Engineer, Triage Engineer, and more… and then of course there’s all their bosses, and so on. Instead of having all those costs rolled up into your bill, what if 90% of those roles were automated to provide consistency and scale, while also allowing you to pick and choose where you want and need support along the way? Then pass those savings along to you. That’s platform-management, and that’s what we’re building here at DarkHorse.
A managed program is one where the services teams at the platform provider add an additional layer of human-based guidance and support throughout the sales, onboarding, triage, support, and day-to-day operations. However, quality and consistency can be lacking, since you have a wide range of individuals touching the account. Additionally, all of these persons and the services they provide are wrapped up into a much higher average cost, even if they provide little-to-no value.
A platform-managed program is one that takes all that the best humans know about running a program successfully, and then makes it programmatic. Instead of having to pay for the costs of (and this is not hyperbole) an Account Executive, Sales Engineer, Business Development Representative, Account Manager, Technical Customer Success Manager, Onboarding Engineer, Solutions Architect, Support Engineer, Triage Engineer, and more… and then of course there’s all their bosses, and so on. Instead of having all those costs rolled up into your bill, what if 90% of those roles were automated to provide consistency and scale, while also allowing you to pick and choose where you want and need support along the way? Then pass those savings along to you. That’s platform-management, and that’s what we’re building here at DarkHorse.
Why not use your competitors (HackerOne, Bugcrowd, et al)?
First and foremost, our mission statement (to make crowdsourced and offensive security accessible and affordable to all) precludes the idea of 'competition' in the traditional sense. So long as people have access to services that we think are essential for improving their security posture, we have no quarrel around who they use or how they do it. Full stop.
Want to use Bugcrowd or HackerOne as your chosen provider for VDPs or bug bounties? Good on ya! - if you're decreasing risk and increasing your security posture, we have zero issue - we're just happy it's happening.
That said, it's your decision around your perceived ROI for the services and software that you're paying for. Some people may want all the bells and whistles of a Bugcrowd or HackerOne, and again, our goal is not and will not be to compete with them. Our goal is to democratize crowdsourced and offensive security, making it accessible and affordable for everyone. We personally think our solution will meet the needs of a great many, many organizations, and that DarkHorse provides the highest amount of ROI for the lowest cost - allowing you to save cash that can then be re-deployed within your security organization to the areas that need it the most - but again, we're not trying build a giant services org, cater to the high end, or maximize for profit, we're trying to make this accessible for everyone.
Want to use Bugcrowd or HackerOne as your chosen provider for VDPs or bug bounties? Good on ya! - if you're decreasing risk and increasing your security posture, we have zero issue - we're just happy it's happening.
That said, it's your decision around your perceived ROI for the services and software that you're paying for. Some people may want all the bells and whistles of a Bugcrowd or HackerOne, and again, our goal is not and will not be to compete with them. Our goal is to democratize crowdsourced and offensive security, making it accessible and affordable for everyone. We personally think our solution will meet the needs of a great many, many organizations, and that DarkHorse provides the highest amount of ROI for the lowest cost - allowing you to save cash that can then be re-deployed within your security organization to the areas that need it the most - but again, we're not trying build a giant services org, cater to the high end, or maximize for profit, we're trying to make this accessible for everyone.
If you charge per report, what's to stop you from spamming me with reports to make more money?
First and foremost: honesty and trust. As documented elsewhere, we'd be more likely to make more money working at McDonald's for the next year than on this platform. If we wanted money, we could have stayed in our high paying jobs, or even just found another high paying role. Our reputation and dignity are too high to defraud customers out of their money - doing so would irreparably damage what we're trying to do... which is to make crowdsourced and offensive security accessible and affordable for everyone.
Secondarily, if you do receive large numbers of spammed reports, let us know, and we'll make sure you aren't charged for them. Again, our goal is to bring people into the world of crowdsourced and offensive security - not to push them away. Do note that some level of noise is inherent in running a bounty program - so, in our view, a random dude sending a useless clickjacking report doesn't count as spam. However, someone sending the same report 100s of times does count as spam. But if you feel it's spam, feel free to reach out, and we'd be happy to review it.
Secondarily, if you do receive large numbers of spammed reports, let us know, and we'll make sure you aren't charged for them. Again, our goal is to bring people into the world of crowdsourced and offensive security - not to push them away. Do note that some level of noise is inherent in running a bounty program - so, in our view, a random dude sending a useless clickjacking report doesn't count as spam. However, someone sending the same report 100s of times does count as spam. But if you feel it's spam, feel free to reach out, and we'd be happy to review it.
Why don't you include triage and validation when the other major player (HackerOne, Bugcrowd, et al) seem to include it?
It's covered in a few places, but there are a few reasons:
- We don't believe it's as economical for organizations as you may have been led to believe. We started building out a triage function for DarkHorse, but quickly realized that it's actually not as advantageous as we initially thought. Take this quick thought exercise:
- 20-30% of reports wind up being valid. This means that out the gate you still have to do at least 20-30% of the total work involved in triage, since you need to validate those reports yourself, etc.
- Anyone who has managed a program also knows that there's a number of reports that need their input pre-triage as well... with questions from the triagers asking if things are in scope, if it's intended, and so forth. We'll call this and additional 10% of reports.
- Finally, there are a small percentage of reports that get mis-triaged, and need your oversight. We'll call this another 5% of reports.
- So, even with triage in place, we're up to touching approximately 35%-45% of all reports, no matter what.
- Then also remember that the other remaining reports are duplicates, out-of-scopes, not-applicaples, and so forth. And then also keep in mind that those types of reports tend to take less than half the effort of evaluating a valid report.
- Adjusted for effort, triage is charging for 100% of the work, but despite that, you are still required to do over 50% of the work in the end. So your real adjusted savings in paying for triage is closer to 50% (or less), in terms of work reduction.
- While your mileage may vary, in our opinion, getting 50% of the value for 100% of the price isn't particularly economically efficient. And for that reason, we don't offer triage by default. Were it our security program, we'd put our funds to use elsewhere, and want to offer our clients the same courtesty.
- Secondarily, the mission of DarkHorse is to make crowdsourced and offensive security accessible and affordable for everyone. In our view, building a services organization is antithetical to that goal. Running services means having to handle more personnel, and the issues that come with personnel, etc - and before we knew it, we'd be spending all our time managing the services org... instead of staying true to our mission. So this is us staying true to our mission. Nothing against triage - and it's immensely valuable for many, many organizations. It's just not what we're focused on right now.
Do you have a video walkthrough for setting up a VDP?
Sure! Here ya go!
About Our VDP Offering
Did you know that most organizations qualify for a free VDP? We believe VDPs are an essential part of any security program, and as such, every organization should have access to an affordable platform for running a VDP. If you anticipate (or currently get) less than twenty-five reports per year, we’ll let you run your VDP on DarkHorse for free… no catches or gimmicks.Note that other organizations also offer "free" VDPs, but in doing so they also stick significant limitations on what you can/can't do. We don't/won't do that. There is no diminished version of the platform for free users. Again, our goal is to democratize security, not to nickel and dime you. See our comparison below to see how things stack up against Bugcrowd and HackerOne
For organizations that expect to get more than twenty-five reports per year, our pricing is structured so that you only pay for what you need. For instance, where most things in this world will charge “X or Y, whichever makes them more money”, we take the opposite approach - we’ll only charge you for what you use - and if you got spammed with reports, we won't charge you for those. Don't believe us? Read our about page to see what we're about. Hopefully you'll join us on our mission to democratize crowdsourced and offensive security.
Here is a basic example to illustrate what we mean:
- If, for some reason, your program gets spammed with hundreds of reports by a single individual (we’ll say 200 for this example), but only five of them are valid (e.g. reports with a risk rating of 5 or higher, including duplicates), we won’t charge you for the 195 that were noise. Now, again, there will always be noise in a VDP or bug bounty program - we can't prevent that. But when someone is clearly creating large numbers of reports that have no value, we won't charge you for those. That's not fair to you, and it's not true to our mission. Please reach out if you believe that's the case, and we'll avoid charging you for those reports.
Some of our detractors in the space may point out that our base prices don’t include Support or Customer Success - which is true. This is because we want to offer you the freedom to setup your program in the way that you think is best for your organization. If you don’t need Support or a CSM, then we offer you the ability to opt out, and pass those savings along to you. The same holds true for triage & validation - we don’t offer that service out of the box, so as to pass those savings along to you. If you desire any of those additive services / triage and validation, we can set you up with our sister organization that provides consulting services for a quote. As covered in the FAQ above, our mission is to democratize this technology, so that's where our focus is, as opposed to building a services org. We may do so in the future, but not right now.
Annoying fine print:
- We reserve the right to refuse service to anyone (at any time), and review all VDPs before they go live.
- In the same vein as the above, if your program appears to be neglected and/or forgotten, we also reserve the right to turn it off if we’re unable to get a response from any of the points of contact on the account for 30 days or more.
- For those on free plans, we appreciate donations, but they are not required. If you choose to make a donation, it’s worth highlighting that 100% of the donation (post-tax) will be distributed to our non-executive employees in the form of a quarterly bonus.
-
What is our “Ethical Guarantee”? Simply put: our mission is to provide affordable access to essential cybersecurity tools. Being greedy is not part of our mission, and we will do our level-best to always prioritize helping organizations become more secure over the pursuit of profit. It’s that simple.
- That said, please do be aware that we still have to put food on the table for ourselves, as well as funding future improvements to this software and the people that make it possible - so while we may not relentlessly pursue excess profit, we still need to keep the lights on.
- As much as we’d like to say that we’ll never ever change our rates, the odds are that we’ll have to do so periodically. Our hope is that we never have to materially change things, but what we can and will guarantee is that whatever pricing you sign up with, it will stay the same for the next twelve months, at which point we’ll migrate you to whatever the present pricing model is.
- For those on the free tier, if possible, we'd love to use your logo or name in a testimonial. It's not required, but figured we'd put that out there!