A Government-Oriented Vulnerability Disclosure Program Model Based on Ethical Hacker Perspectives

Authors

  • Rio Putra Suryana Universitas Teknologi Yogyakarta
  • Suyud Widiono Universitas Teknologi Yogyakarta

DOI:

https://doi.org/10.58526/jsret.v4i4.948

Keywords:

Vulnerability Disclosure Program (VDP), vulnerability reporting, ethical hacking, government digital assets, bug hunter participation, safe harbour

Abstract

Digital transformation within government agencies has expanded the number of public-sector digital assets that require continuous cybersecurity protection. However, vulnerability reporting mechanisms in Indonesia remain fragmented, unstandardized, and legally ambiguous, limiting effective collaboration between ethical hackers and government institutions. This study explores the motivations, preferences, and challenges experienced by active vulnerability researchers in participating in government-led Vulnerability Disclosure Programs (VDPs). A descriptive qualitative approach was applied using open- and closed-ended online questionnaires completed by six respondents with proven experience in legal vulnerability reporting. The findings reveal that clear scope definition, transparent rules, timely responses, and legal protection (safe harbour) are the primary factors influencing participation. Although financial incentives are considered beneficial, most participants are willing to report without monetary rewards when non-financial recognition—such as points, badges, or official acknowledgment—is provided. The study also identifies key barriers, including unclear scope, lack of government responsiveness, and concerns regarding legal repercussions. Based on these insights, this work proposes a structured and centralized vulnerability reporting framework tailored for government environments. The proposed model emphasizes clear policies, triage transparency, non-monetary recognition systems, and safe-harbour protections to strengthen national cybersecurity resilience through collaborative public engagement.

Downloads

Download data is not yet available.

References

Australi Signal Director. (2022). Vulnerability Disclosure Programs Explained.

Braun, V., Clarke, V., & Hayfield, N. (2022). ‘A starting point for your journey, not a map’: Nikki Hayfield in conversation with Virginia Braun and Victoria Clarke about thematic analysis. Qualitative Research in Psychology, 19(2), 424–445. https://doi.org/10.1080/14780887.2019.1670765

Chatfield, A. T., & Reddick, C. G. (2017). Cybersecurity Innovation in Government. Proceedings of the 18th Annual International Conference on Digital Government Research, 64–73. New York, NY, USA: ACM. https://doi.org/10.1145/3085228.3085233

Creswell, J. W. . (2017). Research design : qualitative, quantitative, and mixed methods approaches. SAGE.

ENISA. (2023). Vulnerability Disclosure Guidelines for Public Sector. https://doi.org/10.2824/69116

GovTech Singapore. (2019). Government Vulnerability Disclosure Programme Annual Report 2019.

Herpig, S. (2024). Europe Vulnerability Disclosure: Guiding Governments from Norm to Action.

Kallio, H., Pietilä, A., Johnson, M., & Kangasniemi, M. (2016). Systematic methodological review: developing a framework for a qualitative semi‐structured interview guide. Journal of Advanced Nursing, 72(12), 2954–2965. https://doi.org/10.1111/jan.13031

Li, Y., & Zhao, L. (2022). Collaborating with Bounty Hunters: How to Encourage White Hat Hackers’ Participation in Vulnerability Crowdsourcing Programs through Formal and Relational Governance. Information & Management, 59(4), 103648. https://doi.org/10.1016/j.im.2022.103648

Nowell, L. S., Norris, J. M., White, D. E., & Moules, N. J. (2017). Thematic Analysis. International Journal of Qualitative Methods, 16(1). https://doi.org/10.1177/1609406917733847

OECD. (2021). ENCOURAGING VULNERABILITY TREATMENT OVERVIEW FOR POLICY MAKERS OECD DIGITAL ECONOMY PAPERS Foreword. Retrieved from http://www.oecd.org/termsandconditions.

Palinkas, L. A., Horwitz, S. M., Green, C. A., Wisdom, J. P., Duan, N., & Hoagwood, K. (2015). Purposeful Sampling for Qualitative Data Collection and Analysis in Mixed Method Implementation Research. Administration and Policy in Mental Health, 42(5), 533–544. https://doi.org/10.1007/s10488-013-0528-y

Saleh, A. I., & Winata, M. D. (2023). Indonesia’s Cyber Security Strategy: Problems and Challenges. https://doi.org/10.2991/978-2-38476-152-4_169

Walshe, T., & Simpson, A. C. (2022). Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations. Computers & Security, 123, 102936. https://doi.org/10.1016/j.cose.2022.102936

Walshe, Thomas, & Simpson, A. (2023). Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents. Digital Threats: Research and Practice, 4(2), 1–36. https://doi.org/10.1145/3586180

Downloads

Published

2025-11-29

How to Cite

Suryana, R. P., & Widiono, S. (2025). A Government-Oriented Vulnerability Disclosure Program Model Based on Ethical Hacker Perspectives . Journal of Scientific Research, Education, and Technology (JSRET), 4(4), 2452–2460. https://doi.org/10.58526/jsret.v4i4.948

Issue

Vol. 4 No. 4 (2025): Vol. 4 No. 4 2025

Section

Articles

License

Copyright (c) 2025 Rio Putra Suryana, Suyud Widiono

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Copyright @2022. This is an open-access article distributed under the terms of the Creative Commons Attribution-ShareAlike 4.0 International License (https://creativecommons.org/licenses/by-sa/4.0/) which permits unrestricted commercial used, distribution and reproduction in any medium 

JRSET is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.