Reporting vulnerabilities responsibly

The definition of responsible vulnerability disclosure is far from obvious, companies and experts may interpret the word „responsible” differently. In general, responsible behavior consists of privately notifying the company about your findings in order to let them address the issue and release a patch or software updated before going public.

To act ethically, the security researcher must provide the vendor enough time to develop fixes, patches, and release software updates. Only after all the necessary improvements are completed should the researcher disclose their findings. Lack of coordination between the researcher and the vendor company can result in a catastrophe. Just imagine what would happen if all the information necessary to exploit a software would be public, but nobody would act to protect the users.

In the vast majority of cases, the biggest and most innovative companies have responsible disclosure policies.

But what does this mean?

The company with a responsible disclosure policy encourages ethical hackers to research their services and report any vulnerabilities they find. It is essentially an admission that no system is perfect, theirs included, and they are open and willing to improve their service.

If a company has a responsible disclosure policy, they should provide contact information of the most relevant person or team to send the information to. Companies sometimes have forms containing all the relevant questions they need answers to before being able to act. If you do not find a form like this, the Open Society Foundation has a document which details what kind of information your report should include, as well as how you should act.

Bug bounty program

Some companies have bug bounty programs in which they offer monetary compensation for ethical hackers who report vulnerabilities. The amount of the reward can depend on several factors such as the size of the company and the severity of the issue discovered.

Bug bounty programs and responsible disclosure policies generally have rules. Companies declare which systems can be subjected to testing, and require ethical behavior from the hackers: that is, you should not copy, delete, rewrite data, or change any settings on software during a successful attack. You can learn more about what companies should consider before implementing these programs in this article from Detectify.

What if the company has no official program?

If this is the case, bug hunting is extremely risky and you need to be aware of the possible consequences. Although the majority of leading tech companies are grateful for reported bugs, not everybody is, and you could easily land yourself in legal trouble. The consequences and the legal actions can vary from country to country, but even getting letters from company lawyers can be distressing, let alone having the police unexpectedly knocking at your door.

Read the second part of this blog post on how to prepare for a  responsible disclosure policy program here.

We, at Avatao are creating a platform to educate developers in security. Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment in a fun and intuitive way. Topics cover web security, secure coding in Java, C/C++, Python or Kotlin, and also include hot topics like OWASP Top 10 GDPR, payment systems, secure API design, DevSecOps, and more.