App security is nowadays a widely-discussed issue. Lots of apps have problems with guarantee full safety for users. Google Play is therefore working with an independent bug bounty platform, HackersOne, and the developers of popular Android apps to implement the Google Play Security Reward Program. Hackers that identify vulnerabilities in an in-scope app and reports it directly to the app’s developer will be rewarded with $1,000 (Chin, 2017). Many big firms are currently participating within the program: Alibaba, Dropbox, Snapchat and Tinder. 13 apps are currently participating as trial period, hereafter Google will open the program to the larger community.
Finding and eradicating vulnerabilities is an important aspect of cybersecurity. Rosenstein (2017), an US Deputy Attorney General put forward that every company should consider promulgating a vulnerability disclosure policy (VDP). A VDP is a public invitation for ‘ethical hackers’ to report vulnerabilities. HackerOne is the leading platform with over 950 customers. They are following an ISO-29147 compliant solution designed to receive, resolve, and respond to security vulnerabilities discovered by third-party researchers, academics or other members of the public.
We can state that a VDP policy is a must these days, giving ethical hackers clear guidelines and encourage them to report potentially unknown and harmful security vulnerabilities (HackerOne, 2017). Five critical components of a VDP are Promise, Process, Scope, Preferences and “Safe Harbor” and will be elaborated below:
Promise: Convey the mission behind the policy and explain your commitment to security, customers and others.
Process: Detail how finders should submit reports and what information you would like to see.
Scope: Specify what is allowed and what is not allowed.
Preferences: Make a set of non-binding expectations to evaluate reports.
“Safe Harbor”: Say that reporters will not be penalized.
Following these steps, the intelligence of hackers will be used in a correct way to provide security for applications.
References:
Chin, M. (2017). Google is offering $1000 to anyone who can hack Tinder, Snapchat, Dropbox, and more. [Online] Mashable. Available at: http://mashable.com/2017/10/20/google-play-bounty-program/?utm_cid=hp-h-9#ofPSvBM3VmqN [Accessed 20 Oct. 2017].
HackerOne. (2017). Here are the 5 critical components of a Vulnerability Disclosure Policy. [Online] HackerOne. Available at: https://ma.hacker.one/rs/168-NAU-732/images/5-critical-elements-vdp-guide-1pager.pdf [Accessed 20 Oct. 2017].
Rosenstein, R., J. (2017) US Deputy Attorney General Recommends Every Company Create a Vulnerability Disclosure Policy. [Online] HackerOne. Available at: https://www.hackerone.com/blog/US-Deputy-Attorney-General-Recommends-Every-Company-Create-a-Vulnerability-Disclosure-Policy-VDP [Accessed 20 Oct. 2017].