What the hell is an mVDP?

Lately, I changed my role at Patchstack from Security Community Manager to mVDP Growth Manager. Apart from congratulations, I got a lot of questions "what is mVDP?". I think it's time to explain what it is and why you should be probably interested in it.

M is for Managed

Let's start with the definition of Vulnerability Disclosure Program:

A VDP is a structured framework for hackers to document and submit security vulnerabilities to organizations. VDPs help organizations mitigate risk by supporting and enabling the disclosure and remediation of vulnerabilities before hackers exploit them. VDPs usually contain a program scope, safe harbor clause, and remediation method. VDPs generally cover all publicly accessible, internet-facing assets. Publicly posted VDPs suggest that the organization is unlikely to be an easy target.

While VDP is just a set of security-related rules, the mVDP is a service that helps with everything mentioned above. This is great because disclosing and managing vulnerabilities isn't simple, especially if security is not your field of expertise.

What will I get?

There are many mVDPs out there, but I will share what you can get by signing into the Patchstack's mVDP.

Triage - no more beg bounties

One of the nightmares today is dealing with beg bounties - beg bounties are nothing else than attempts to get money using scare tactics. If you're not experienced, you might fall for it and lose some money. And believe me, even we are bombarded with bounty attempts daily.

On the other hand, you can't ignore them completely, because among all those bogus reports, there might be a valid report. That's why it's important to have someone experienced on your side to verify if the report is legit or not. Imagine wasting an hour daily verifying this.

Apart from beg bounties there will be a lot other cases when having another pair of eyes to verify a report will be very useful.

One more step into CRA-compatibility

The Cyber Resilience Act is a very important EU regulation regarding security. These new regulations will change a lot in terms of how companies handle security. The main requirements of CRA are as this:

• Set up a Vulnerability Disclosure Policy (VDP)

• Share data with the EU vulnerability database

• Notify users about vulnerability exploits

• Provide security updates (separately)

For more information, you should read this article to understand the CRA better. But I think you can already see that having an mVDP will help you.

You have time until December 2027 to make sure you meet the requirements.

Making sure your patch is good enough

Vulnerabilities happen. There is no shame in this if you take it seriously and try to patch it as soon as possible.

On the other hand, especially if you're not experienced enough, it would be cool to have someone who knows a thing or two about security to validate if your patch is good enough. And here's where Patchstack's mVDP can help you. Our triage team will make sure that everything is fine.

Everything in one place

Imagine - you have quite a lot of plugins, and every plugin has a different owner. Chaos can creep in very quickly, you'll have too many places that you should check for security reports. As a result, at one point, you will miss one critical report.

It would be great to have a universal form and a portal, from which you could manage everything, right? Good news - you can.

And believe me, we saw too many cases of missing emails, not working forms, or not working domains.

Bonuses for security researchers

Another cool bonus you'll get is a bonus for security researchers. This means that they will be more interested in checking such plugins. By default, they will get at least 15% extra points if they discover a vulnerability.

Does this mean that they might find more vulnerabilities - yes. And that's a good thing. If they do, you will be able to fix your plugin and make it more secure. We've already seen quite a few scenarios like this, but I think that LiteSpeed Cache was the best example - they had a series of critical vulnerabilities, but after fixing those, they didn't have a severe vulnerability for around a year.

So, this means my plugin is 100% secure, right?

Hell no. Having an mVDP is just an indicator that you are probably taking security more seriously. The rest is up to you. You still have to:

• Creating secure code

• Providing patches

• Informing the users about vulnerabilities

• Doing all of this on time

But it's still a great start. Setting up everything and thinking about this means you are a step ahead.

OK, how much?

It's free - seriously. And I can promise that what I described above will always be. If you're wondering where the catch is, there isn't. For our plugin to protect users against vulnerabilities, we have to work closely with vendors and know about vulnerabilities.

At some point, there will be paid tiers with extra features. But this won't affect the basic tier. And the basic tier will already help you in most cases.

Interested?

That's great - as a plugin or theme developer, you should. Now, you should visit this link and add your plugins and/or themes. It works both for premium and free. And the whole process is as easy as filling out one form and adding one link to your plugin or theme's readme.

And if you have any questions, just leave a comment or send me an email - I'm sure I will be able to help.