If you have found a vulnerability and you want to act responsibly, discretion is most important. Always remember you have information that can be exploited by black-hats putting not only the enterprise and its reputation, but its users at risk.
The definition of responsible vulnerability disclosure is far from obvious, companies and experts may interpret the word „responsible” differently. Generally, it can be said that responsible behavior is to notify the company privately about your findings in order to let them act and release a patch and a software update before going public.
In an ethical process the security researcher must provide the vendor enough time to develop fixes, patches and release software updates. After all the necessary improvements are finished, only then should the researcher disclose the findings. The lack of coordination between the researcher and the vendor company can result in a catastrophe. Just imagine what would happen if all the information to exploit a software would be public, but nobody would act to protect the users.
But what does this mean?
The company that has a responsible disclosure policy encourages ethical hackers to research their services and report the vulnerabilities found. It is basically a confession that no human-designed system can be perfect, neither theirs, but they are open to improve their service.
If a company has a responsible disclosure policy, they should provide contact information on their website which leads to the most competent team or person in the enterprise. Companies sometimes publish forms with all the relevant questions they need to know before acting. If you do not find a form like this, Open Security Foundation has released a document – in which they detail what kind of info you should include in your report – along with how should you act.
There are companies having bug bounty programs. They offer monetary compensation for ethical hackers who report vulnerabilities. The amount of the reward depends on several factors such as the size of the company and the severity of the found issue.
A bug bounty and responsible disclosure policy program usually has rules. Companies declare which systems are subject to testing and they require ethical behavior which means you should not copy, delete or rewrite data or change any settings or softwares during a successful attack. From the article of Detectify you can learn about the aspects companies must consider before releasing a program.
Then bug hunting is a risky business and we need to draw your attention to the possible consequences. Although the majority of leading tech companies are grateful for reported bugs, not everybody is. It can happen that you are getting yourself into legal trouble. The consequences and the legal actions can vary from country to country, but even getting letters from company lawyers is too distressing not to mention police knocking on your door.
Read the second part of this blog post on how to prepare for a responsible disclosure policy program here.
We, at Avatao are creating a platform to educate developers in security. Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment in a fun and intuitive way. Topics cover web security, secure coding in Java, C/C++, Python and also include hot topics like GDPR, payment systems, secure API design, DevSecOps and more.