Written by Judit Szőcs
If you have found a vulnerability and you want to act responsibly, discretion is most important. Always remember you have information that can be exploited by black-hats putting not only the enterprise and its reputation, but its users at risk.
The definition of responsible vulnerability disclosure is far from obvious, companies and experts may interpret the word „responsible” differently. Generally, it can be said that responsible behavior is to notify the company privately about your findings in order to let them act and release a patch and a software update before going public.
In an ethical process the security researcher must provide the vendor enough time to develop fixes, patches and release software updates. After all the necessary improvements are finished, only then should the researcher disclose the findings. The lack of coordination between the researcher and the vendor company can result in a catastrophe. Just imagine what would happen if all the information to exploit a software would be public, but nobody would act to protect the users.
In many-many cases – the biggest, most innovative companies – have so-called responsible disclosure policies.
But what does this mean?
The company that has a responsible disclosure policy encourages ethical hackers to research their services and report the vulnerabilities found. It is basically a confession that no human-designed system can be perfect, neither theirs, but they are open to improve their service.
If a company has a responsible disclosure policy, they should provide contact information on their website which leads to the most competent team or person in the enterprise. Companies sometimes publish forms with all the relevant questions they need to know before acting. If you do not find a form like this, Open Security Foundation has released a document – in which they detail what kind of info you should include in your report – along with how should you act.
Bug bounty program
There are companies having bug bounty programs. They offer monetary compensation for ethical hackers who report vulnerabilities. The amount of the reward depends on several factors such as the size of the company and the severity of the found issue.
A bug bounty and responsible disclosure policy program usually has rules. Companies declare which systems are subject to testing and they require ethical behavior which means you should not copy, delete or rewrite data or change any settings or softwares during a successful attack. From the article of Detectify you can learn about the aspects companies must consider before releasing a program.
What if there is no official program declared by the company?
Then bug hunting is a risky business and we need to draw your attention to the possible consequences. Although the majority of leading tech companies are grateful for reported bugs, not everybody is. It can happen that you are getting yourself into legal trouble. The consequences and the legal actions can vary from country to country, but even getting letters from company lawyers is too distressing not to mention police knocking on your door.
Read the second part of this blog post on how to prepare for a responsible disclosure policy program here.
We, at Avatao are creating a platform to educate developers in security. Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment in a fun and intuitive way. Topics cover web security, secure coding in Java, C/C++, Python and also include hot topics like GDPR, payment systems, secure API design, DevSecOps and more.
Reading Time: 9 minutes Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Reading Time: 9 minutes OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Phillippe De Ryck. Here is what we know.
Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.