{"id":208,"date":"2024-10-01T00:00:29","date_gmt":"2024-10-01T00:00:29","guid":{"rendered":"https:\/\/alibkaba.com\/?p=208"},"modified":"2025-11-14T01:48:40","modified_gmt":"2025-11-14T01:48:40","slug":"my-ultimate-guide-to-ibms-vdp-transition","status":"publish","type":"post","link":"https:\/\/alibkaba.com\/index.php\/2024\/10\/01\/my-ultimate-guide-to-ibms-vdp-transition\/","title":{"rendered":"My Ultimate Lessons from IBM&#8217;s VDP Transition"},"content":{"rendered":"\n<p>This article builds on a previous piece, <a href=\"https:\/\/www.linkedin.com\/pulse\/why-you-should-invite-hackers-hack-benefits-disclosure-ali-kaba-tldec\/\">Why You Should Invite Hackers to Hack You: The Benefits of Vulnerability Disclosure Programs<\/a>, which laid out the fundamentals of Vulnerability Disclosure Programs (VDP). In this installment, I share past experience transitioning <a href=\"https:\/\/www.linkedin.com\/company\/ibm\/\">IBM<\/a>\u2019s in-house VDP to a VDP platform, <a href=\"https:\/\/www.linkedin.com\/company\/hackerone\/\">HackerOne<\/a>. I\u2019ll be sharing insights and best practices for anyone looking to start, transition to a VDP platform, or refine their own program.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ember55\">Initial Planning and Strategy<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember56\">Joining the Team<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team.png\" alt=\"\" class=\"wp-image-245\" style=\"width:274px;height:auto\" srcset=\"https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team.png 1024w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team-300x300.png 300w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team-150x150.png 150w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team-768x768.png 768w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team-200x200.png 200w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team-564x564.png 564w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/team-1000x1000.png 1000w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"ember58\">In 2018, I joined a team responsible for handling activities typical of a product security incident response team and worked on transitioning IBM\u2019s VDP from an in-house model to the HackerOne platform. This \u201ccrawl, walk, run\u201d approach allowed us to start with a cashless rewards model and progressively expand the program. By evaluating outcomes early, we determined whether introducing monetary incentives would be beneficial.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember59\">Key Lessons Learned During Transition<\/h3>\n\n\n\n<p id=\"ember60\">Transitioning IBM\u2019s VDP to HackerOne offered several important insights:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Collaboration<\/strong> across legal, procurement, and engineering was essential for smooth execution<\/li>\n\n\n\n<li><strong>Automation<\/strong> of workflows minimized errors and improved response times, allowing us to manage more reports<\/li>\n\n\n\n<li><strong>Recognition<\/strong> sustained program momentum without monetary rewards, focusing on community engagement<\/li>\n\n\n\n<li><strong>Scope<\/strong> expanded to cover all non-product areas, ensuring comprehensive security.<\/li>\n\n\n\n<li><strong>Policies<\/strong> were clearly defined to set expectations and support compliance<\/li>\n<\/ul>\n\n\n\n<p id=\"ember62\">Much of the initial groundwork had already been laid. Leadership buy-in was secured, and the tenured team was already assembled. With those key elements in place, I focused on strategic planning and execution to strengthen IBM&#8217;s security posture and enhance client trust.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ember63\">Procurement and Legal Alignment: Laying the Foundation<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1.png\" alt=\"\" class=\"wp-image-244\" style=\"width:327px;height:auto\" srcset=\"https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1.png 1024w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1-300x300.png 300w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1-150x150.png 150w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1-768x768.png 768w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1-200x200.png 200w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1-564x564.png 564w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/procurement-1-1000x1000.png 1000w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"ember66\">Procuring the Right HackerOne Plan<\/h3>\n\n\n\n<p id=\"ember67\">Working closely with procurement, I secured an Enterprise plan from HackerOne that included robust API integrations and priority support, which is critical for a complex organization like IBM. This step ensured we could meet our program goals with the necessary technical capabilities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember68\">Legal Considerations<\/h3>\n\n\n\n<p id=\"ember69\">Throughout procurement, I partnered closely with the legal team to ensure the HackerOne service agreement aligned with IBM&#8217;s policies around disclosure timelines, IP rights, legal liability, etc. I clarified cybersecurity concepts for the legal team to ensure accurate contract terms. For example, I helped shape terms around IBM retaining ownership of vulnerability reports. Resolving these complex legal details was mandatory before finalizing the HackerOne contract.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember70\">Setting Clear Program Policies<\/h3>\n\n\n\n<p id=\"ember71\">With HackerOne selected as our platform, I focused on defining operating policies and rules of engagement policy tailored to our program&#8217;s goals with the help of HackerOne. This included scope, guidelines, legal notice, establishing hacker vetting standards, and creating transparent rules of conduct.<\/p>\n\n\n\n<p id=\"ember72\">Having IBM legal provide input was invaluable because they flagged potential risk areas related to hackers accessing systems, handling sensitive data, and more. I iterated on the policies until they struck the right balance for productivity and legal\/security compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ember73\">Challenges During the Transition: Expanding Scope and Refining Processes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember74\">Expanding Scope Beyond Product Vulnerabilities<\/h3>\n\n\n\n<p id=\"ember75\">IBM&#8217;s VDP initially focused on product vulnerabilities, with other areas like websites routed to different teams, often with limited visibility, creating potential gaps.<\/p>\n\n\n\n<p id=\"ember76\">To address this, we expanded our scope beyond products, covering websites and other areas. New intake pipelines and workflows were established, integrated with internal processes to ensure comprehensive coverage across IBM\u2019s infrastructure. Effective communication was key to ensuring a smooth transition.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ember77\">API Integration and Automation: Streamlining Workflows<\/h2>\n\n\n\n<p id=\"ember78\">One of the most critical elements of this transition was integrating HackerOne with internal systems to automate our workflows and improve data accuracy. Our internal development team, in collaboration with other teams, worked to ensure seamless data synchronization between platforms. The system would pull tickets from HackerOne, update statuses, and trigger specific actions based on ticket changes, ensuring that vulnerabilities were triaged and addressed efficiently.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember79\">Developing Custom Slack Integrations<\/h3>\n\n\n\n<p id=\"ember80\">I took the lead on developing the <a href=\"https:\/\/github.com\/IBM\/HackerOne-Notifications-Events-via-IBM-Cloud-Slack\">HackerOne Notifications\/Events<\/a> integration with <a href=\"https:\/\/www.linkedin.com\/company\/tiny-spec-inc\/\">Slack<\/a>, leveraging various IBM Cloud services to host and trigger the following scripts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response.py<\/strong> sent notifications for new reports that hadn\u2019t had any activity over three business days or hadn\u2019t been triaged within eight days, ensuring timely attention<\/li>\n\n\n\n<li><strong>RoundRobin.py<\/strong> automated the distribution of new reports in a round-robin fashion, ensuring even and efficient workload management among team members<\/li>\n\n\n\n<li><strong>OverDue.py<\/strong> sent alerts when reports were approaching or exceeding their severity-based resolution deadlines, prompting timely action to meet SLAs<\/li>\n<\/ul>\n\n\n\n<p id=\"ember82\">These automation significantly improved our response times, allowing us to handle a higher volume of reports without missing any SLAs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ember83\">Security and Compliance: Prioritizing Data Protection<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield.png\" alt=\"\" class=\"wp-image-243\" style=\"width:267px;height:auto\" srcset=\"https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield.png 1024w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield-300x300.png 300w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield-150x150.png 150w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield-768x768.png 768w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield-200x200.png 200w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield-564x564.png 564w, https:\/\/alibkaba.com\/wp-content\/uploads\/2024\/10\/compliance_shield-1000x1000.png 1000w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p id=\"ember86\">Throughout the transition, ensuring data security and compliance was a top priority. We implemented least privilege principles across the board, ensuring that only specific individuals had access to certain sensitive data. All data transfers between HackerOne and other internal systems were encrypted, both in transit and at rest.<\/p>\n\n\n\n<p id=\"ember87\">HackerOne was particularly helpful when navigating the complexities of data security and handling sensitive reports. Their team provided mediation services and valuable support when dealing with hacker issues, including notifying us when a hacker expressed frustration with the program on X (formerly Twitter). Together with internal teams, we quickly resolved the situation, ensuring transparency and trust in the hacker community.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ember88\">Conclusion<\/h2>\n\n\n\n<p id=\"ember89\">Transitioning to HackerOne significantly improved IBM\u2019s vulnerability management process, reducing response and triage times. With enhanced visibility and streamlined workflows, we consistently met 100% of both platform and internal SLAs. This success enabled us to expand the scope of our Vulnerability Disclosure Program, strengthen our security posture, and underscores the value of collaboration, efficiency, adaptability, and clear communication in building and managing a robust VDP. The insights we\u2019ve gained from this journey continue to shape our security approach, and I hope they serve as a valuable guide for others looking to enhance their vulnerability management practices.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember90\">Call to Action<\/h3>\n\n\n\n<p id=\"ember91\">If you\u2019re looking to launch or enhance your VDP, or if you need guidance on navigating the complexities of cybersecurity, I\u2019m here to help. Feel free to reach out for consulting, collaboration, or just to share your thoughts and experiences.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ember92\">Acknowledgments<\/h3>\n\n\n\n<p id=\"ember93\">I&#8217;m grateful to Kay and Carlos from the IBM security team, who reviewed this article and provided invaluable perspective based on our shared experience building the program. I also utilized AI to refine and enhance the clarity of this article.<\/p>\n\n\n\n<p>VDPs play a critical role in identifying vulnerabilities before they become threats, making them an essential component of an effective Vulnerability Management Program (VMP) strategy. For those looking to deepen their understanding of VMP, the <a href=\"https:\/\/www.linkedin.com\/company\/lonestar-application-security-conference-lascon\/\">Lonestar Application Security Conference (LASCON)<\/a> will be held later this month in Austin, TX. It&#8217;s a premier event for security professionals, developers, and engineers. I highly recommend attending, especially to hear from experts like mauvehed, who will discuss key strategies for managing vulnerabilities and securing applications. Don\u2019t miss the chance to connect and learn from leaders in the field.<a href=\"https:\/\/www.linkedin.com\/in\/alibkaba\/\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article builds on a previous piece, Why You Should Invite Hackers to Hack You: The Benefits of Vulnerability Disclosure&#8230;<\/p>\n","protected":false},"author":2,"featured_media":228,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-208","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/posts\/208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/comments?post=208"}],"version-history":[{"count":4,"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/posts\/208\/revisions"}],"predecessor-version":[{"id":261,"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/posts\/208\/revisions\/261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/media\/228"}],"wp:attachment":[{"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/media?parent=208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/categories?post=208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alibkaba.com\/index.php\/wp-json\/wp\/v2\/tags?post=208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}