Reporting vulnerabilities responsibly
Judit Szőcs (Marketing Manager)
If you have found a vulnerability and you want to act responsibly, discretion is of the utmost importance. Remember, you now have information that could be exploited by black hats, putting not only the enterprise and its reputation at risk, but also its users.
The definition of responsible vulnerability disclosure is far from obvious, companies and experts may interpret the word „responsible” differently. In general, responsible behavior consists of privately notifying the company about your findings in order to let them address the issue and release a patch or software updated before going public.
To act ethically, the security researcher must provide the vendor enough time to develop fixes, patches, and release software updates. Only after all the necessary improvements are completed should the researcher disclose their findings. Lack of coordination between the researcher and the vendor company can result in a catastrophe. Just imagine what would happen if all the information necessary to exploit a software would be public, but nobody would act to protect the users.
In the vast majority of cases, the biggest and most innovative companies have responsible disclosure policies.
But what does this mean?
The company with a responsible disclosure policy encourages ethical hackers to research their services and report any vulnerabilities they find. It is essentially an admission that no system is perfect, theirs included, and they are open and willing to improve their service.
If a company has a responsible disclosure policy, they should provide contact information of the most relevant person or team to send the information to. Companies sometimes have forms containing all the relevant questions they need answers to before being able to act. If you do not find a form like this, the Open Society Foundation has a document which details what kind of information your report should include, as well as how you should act.
Bug bounty program
Some companies have bug bounty programs in which they offer monetary compensation for ethical hackers who report vulnerabilities. The amount of the reward can depend on several factors such as the size of the company and the severity of the issue discovered.
Bug bounty programs and responsible disclosure policies generally have rules. Companies declare which systems can be subjected to testing, and require ethical behavior from the hackers: that is, you should not copy, delete, rewrite data, or change any settings on software during a successful attack. You can learn more about what companies should consider before implementing these programs in this article from Detectify.
What if the company has no official program?
If this is the case, bug hunting is extremely risky and you need to be aware of the possible consequences. Although the majority of leading tech companies are grateful for reported bugs, not everybody is, and you could easily land yourself in legal trouble. The consequences and the legal actions can vary from country to country, but even getting letters from company lawyers can be distressing, let alone having the police unexpectedly knocking at your door.
Read the second part of this blog post on how to prepare for a responsible disclosure policy program here.
We, at Avatao are creating a platform to educate developers in security. Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment in a fun and intuitive way. Topics cover web security, secure coding in Java, C/C++, Python or Kotlin, and also include hot topics like OWASP Top 10 GDPR, payment systems, secure API design, DevSecOps, and more.
Reading Time: 9 minutes The cloud data system has numerous advantages as well as many dangers. 80% of companies have had at least one data breach in the past months.
Reading Time: 7 minutes Companies understand the way you handle data security has a direct impact on their bottom lines. This has led to most companies requiring all vendors to have a special compliance certificate called an SOC2.
Reading Time: 7 minutes Our team attended Hacktivity, the biggest IT security conference in Central and Eastern Europe – a whole day full of interesting presentations and workshops. Click to see how we liked it!