As of late I seem to get into more and more discussions around this subject. I am fortunate enough to own a web security company which has grown in brand reputation to the point where when we disclose we often get a response, but that is not always the case. We go through the same struggles many do around disclosure.
- When is it appropriate to disclose?
- What time-frame should you give?
- What do you do if you don’t receive a response?
- What do you do if you get a response that blows you off?
These are all common questions that everyone has going through their head when it comes to disclosure. A friend of mine shared his frustrations in a recent post, When Vulnerability Disclosure Fails. The harsh reality is this is the case for so many security researchers today, there is a very serious challenge communicating security issues to appropriate parties within any organization. Janne goes on to provide very good advise to all organizations:
Responsible vulnerability disclosure should be a short, but a clear dialogue. Domain owners, web-masters and coders – please consider opening a channel for security researchers. E-mail is preferred. Open security@yourdomain, security-alert@yourdomain, secure@yourdomain or similar email address and monitor it. This is fairly easy and cheap solution. The normal contact addresses like info@yourdomain often do not work with vulnerability reports. Contact forms are bad for reporting security vulnerabilities.
I can’t stress the importance of the first sentence.
Just last week I was having a conversation with a development / design shop out of Australia and they were telling me a horror story. They had been contacted by a security researcher whose first email went on a rant on how crappy their security posture was and how if they did not receive a response they would publicly humiliate the company, it’s clients and it’s followers. Although they did engage with the individual,they were horrified with the process and asked me why that was the way it was. I had no good answer for them, other than to say I’m sorry it shouldn’t be that way.
This was a pretty novice organization, imagine if it was a more mature one. Do you think this might be why we get the responses we get? I would say yes, these amateurish engagements by security researchers are contributing to the overall negative experience for all. It is forcing organizations to close their doors to engagement and adding frustrations on the researchers side.
We have to stop this and work to build relationships.