Vulnerability Disclosure Programs (VDPs)

A VDP is a formal mechanism by which parties can responsibly report security issues to the organization that owns the asset in which the security risk is identified.

For example: if, while using an application, I notice that there appears to be a SQL Injection vulnerability on the application (by way of seeing an error that says "incorrect syntax near", or something to that effect), I would then want to report that responsibly to the organization who owns that asset.

HOWEVER...

Many, many, many organizations don't have a way to responsibly report those issues. And even fewer have good tooling to help manage those reports. This is where we come in. In many cases, these reports are managed by email and a spreadsheet, and the DarkHorse platform offers an affordable, scalable way to manage those reports - making it easier to receive, action, and remediate issues, reducing your risk along the way.

It's true, you could do this on your own - and one could also build a house using no power tools. It's absolutely possible, we just make it a whole lot easier to ingest the information and to process it - all of which leads to a quicker resolution. If you prefer to run a VDP via an email and spreadsheet, there's nothing inherently wrong with that - we've just built a platform that can help, and tried to make it affordable, so that nobody has a reason to not have a VDP, ever again.

Additionally, though DarkHorse is new to the scene, in the coming months we'll be unveiling SDLC integrations (Jira, etc) for upstreaming findings. Additionally, DarkHorse has a numbe of other product lines that can add to your security program (bug bounty, pentesting, etc) In this way, DarkHorse can become your single pane of glass for all your offensive security vulnerabilities - pentest, bug bounty, and VDP... one more way to make your life just a little easier.

No. You are simply inviting people to responsibly report security issues to you. In some cases, running a VDP does cause an influx of reports (such as when running a public VDP), as some individuals may be encouraged by the presence of a VDP to practice their ability to identify security issues, etc. However, this isn't cause for alarm - if anything, it's a cause for celebration, as these persons are doing the work pro-bono... providing an extremely valuable service, at no additional cost.

Not much. If you expect 100 or fewer reports per year, your annual cost would be couple dollars per day. We've really done everything we can to make this as automated as possible, so that we can (1) give it away for low-use organizations; and (2) charge the lowest rates on the market to make it affordable to everyone. Our rate for VDPs is a mere $7 per report - which is significantly cheaper than any other option on the market right now.

A self-managed program is one where you manage all the aspects of the program by yourself. This could be as extensive as not using a platform at all, or even using a platform, but not getting any support in terms of how the program should be managed. You kind of just have to figure it out for yourself. There is one platform where this is pretty common.

A managed program is one where the services teams at the platform provider add an additional layer of human-based guidance and support throughout the sales, onboarding, triage, support, and day-to-day operations. However, quality and consistency can be lacking, since you have a wide range of individuals touching the account. Additionally, all of these persons and the services they provide are wrapped up into a much higher average cost, even if they provide little-to-no value.

A platform-managed program is one that takes all that the best humans know about running a program successfully, and then makes it programmatic. Instead of having to pay for the costs of (and this is not hyperbole) an Account Executive, Sales Engineer, Business Development Representative, Account Manager, Technical Customer Success Manager, Onboarding Engineer, Solutions Architect, Support Engineer, Triage Engineer, and more… and then of course there’s all their bosses, and so on. Instead of having all those costs rolled up into your bill, what if 90% of those roles were automated to provide consistency and scale, while also allowing you to pick and choose where you want and need support along the way? Then pass those savings along to you. That’s platform-management, and that’s what we’re building here at DarkHorse.

First and foremost, our mission statement (to make crowdsourced and offensive security accessible and affordable to all) precludes the idea of 'competition' in the traditional sense. So long as people have access to services that we think are essential for improving their security posture, we have no quarrel around who they use or how they do it. Full stop.

Want to use Bugcrowd or HackerOne as your chosen provider for VDPs or bug bounties? Good on ya! - if you're decreasing risk and increasing your security posture, we have zero issue - we're just happy it's happening.

That said, it's your decision around your perceived ROI for the services and software that you're paying for. Some people may want all the bells and whistles of a Bugcrowd or HackerOne, and again, our goal is not and will not be to compete with them. Our goal is to democratize crowdsourced and offensive security, making it accessible and affordable for everyone. We personally think our solution will meet the needs of a great many, many organizations, and that DarkHorse provides the highest amount of ROI for the lowest cost - allowing you to save cash that can then be re-deployed within your security organization to the areas that need it the most - but again, we're not trying build a giant services org, cater to the high end, or maximize for profit, we're trying to make this accessible for everyone.

First and foremost: honesty and trust. As documented elsewhere, we'd be more likely to make more money working at McDonald's for the next year than on this platform. If we wanted money, we could have stayed in our high paying jobs, or even just found another high paying role. Our reputation and dignity are too high to defraud customers out of their money - doing so would irreparably damage what we're trying to do... which is to make crowdsourced and offensive security accessible and affordable for everyone.

Secondarily, if you do receive large numbers of spammed reports, let us know, and we'll make sure you aren't charged for them. Again, our goal is to bring people into the world of crowdsourced and offensive security - not to push them away. Do note that some level of noise is inherent in running a bounty program - so, in our view, a random dude sending a useless clickjacking report doesn't count as spam. However, someone sending the same report 100s of times does count as spam. But if you feel it's spam, feel free to reach out, and we'd be happy to review it.

It's covered in a few places (including our whitepaper on it here), but there are a few reasons:

1. We don't believe it's as economical for organizations as you may have been led to believe. We started building out a triage function for DarkHorse, but quickly realized that it's actually not as advantageous as we initially thought. Take this quick thought exercise:
• 20-30% of reports wind up being valid. This means that out the gate you still have to do at least 20-30% of the total work involved in triage, since you need to validate those reports yourself, etc.
• Anyone who has managed a program also knows that there's a number of reports that need their input pre-triage as well... with questions from the triagers asking if things are in scope, if it's intended, and so forth. We'll call this and additional 10% of reports.
• Finally, there are a small percentage of reports that get mis-triaged, and need your oversight. We'll call this another 5% of reports.
• So, even with triage in place, we're up to touching approximately 35%-45% of all reports, no matter what.
• Then also remember that the other remaining reports are duplicates, out-of-scopes, not-applicaples, and so forth. And then also keep in mind that those types of reports tend to take less than half the effort of evaluating a valid report.
• Adjusted for effort, triage is charging for 100% of the work, but despite that, you are still required to do over 50% of the work in the end. So your real adjusted savings in paying for triage is closer to 50% (or less), in terms of work reduction.
• While your mileage may vary, in our opinion, getting 50% of the value for 100% of the price isn't particularly economically efficient. And for that reason, we don't offer triage by default. Were it our security program, we'd put our funds to use elsewhere, and want to offer our clients the same courtesty.
2. Secondarily, the mission of DarkHorse is to make crowdsourced and offensive security accessible and affordable for everyone. In our view, building a services organization is antithetical to that goal. Running services means having to handle more personnel, and the issues that come with personnel, etc - and before we knew it, we'd be spending all our time managing the services org... instead of staying true to our mission. So this is us staying true to our mission. Nothing against triage - and it's immensely valuable for many, many organizations. It's just not what we're focused on right now.

We've got you covered. For organizations that don't want a public VDP, there's the option to have an embedded submission form - which is simply our submission form that you can embed on your website. This allows you to use all the advantages of a platform-driven approach to running a VDP, but also not have it be openly advertised on "The List" page.

Additionally, if you want the extra formatting and display styles of running a public VDP, but don't want your program listed on "The List" page, we also have an "unlisted" option, that lets you link out to your program, but it won't show up on /theList. Whatever your goals and needs are, we've got you covered.