Report a vulnerability in a responsible way!

Written by Judit Szőcs

If you have found a vulnerability and you want to act responsibly, discretion is most important. Always remember you have information that can be exploited by black-hats putting not only the enterprise and its reputation, but its users at risk.

The definition of responsible vulnerability disclosure is far from obvious, companies and experts may interpret the word „responsible” differently. Generally, it can be said that responsible behavior is to notify the company privately about your findings in order to let them act and release a patch and a software update before going public.

In an ethical process the security researcher must provide the vendor enough time to develop fixes, patches and release software updates. After all the necessary improvements are finished, only then should the researcher disclose the findings. The lack of coordination between the researcher and the vendor company can result in a catastrophe. Just imagine what would happen if all the information to exploit a software would be public, but nobody would act to protect the users.

In many-many cases – the biggest, most innovative companies – have so-called responsible disclosure policies.

But what does this mean?

The company that has a responsible disclosure policy encourages ethical hackers to research their services and report the vulnerabilities found. It is basically a confession that no human-designed system can be perfect, neither theirs, but they are open to improve their service.

If a company has a responsible disclosure policy, they should provide contact information on their website which leads to the most competent team or person in the enterprise. Companies sometimes publish forms with all the relevant questions they need to know before acting. If you do not find a form like this, Open Security Foundation has released a document – in which they detail what kind of info you should include in your report – along with how should you act.

Bug bounty program

There are companies having bug bounty programs. They offer monetary compensation for ethical hackers who report vulnerabilities. The amount of the reward depends on several factors such as the size of the company and the severity of the found issue.

A bug bounty and responsible disclosure policy program usually has rules. Companies declare which systems are subject to testing and they require ethical behavior which means you should not copy, delete or rewrite data or change any settings or softwares during a successful attack. From the article of Detectify you can learn about the aspects companies must consider before releasing a program.

What if there is no official program declared by the company?

Then bug hunting is a risky business and we need to draw your attention to the possible consequences. Although the majority of leading tech companies are grateful for reported bugs, not everybody is. It can happen that you are getting yourself into legal trouble. The consequences and the legal actions can vary from country to country, but even getting letters from company lawyers is too distressing not to mention police knocking on your door.

Read the second part of this blog post on how to prepare for a  responsible disclosure policy program here.

We, at Avatao are creating a platform to educate developers in security. Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment in a fun and intuitive way. Topics cover web security, secure coding in Java, C/C++, Python and also include hot topics like GDPR, payment systems, secure API design, DevSecOps and more.

Take a tour on our platform!

Related Articles

The Tutorial Framework: Containerizing IT Security Knowledge

The Tutorial Framework: Containerizing IT Security Knowledge

How can we make security education a whole lot more accessible and fun? The tutorial framework is the answer. In this article we dive into how to create interactive learning environments running inside containers. The Phantom Menace Something is not quite right with...

How cybersecurity contributes value to business

How cybersecurity contributes value to business

Cybersecurity: a tough reality Cybersecurity is an inherently negative asset. As with any protective measure, the major challenge is to measure the value (or Return on Investment, ROI) of cybersecurity. It is significantly more difficult to make this value apparent to...