We Want Responsible Disclosure, Don't You?

Posted by Joe Basirico on October 10, 2011 at 10:14 AM
Find me on:

I wrote earlier about Security Innovation’s policy on Responsible Disclosure over Open or Full Disclosure. It wasn’t my intention in that piece to discuss how responsible disclosure happens or what companies can do to help make responsible disclosure the easy choice for hackers and security researchers.

As a vendor it is important to create a process by which you can respond to security researchers wanting to alert you to security issues. Many openly disclosed security vulnerabilities are disclosed after researchers can't find the right person to talk to and get fed up, often after hours or days, with trying to navigate arbitrary policy or procedure to find the right person to disclose the issue to.

The researcher is doing you an incredible favor and giving you a choice. On one hand you're getting potentially thousands of dollars of security testing time for free, on the other hand you could have an unmitigated security vulnerability published on the Internet for all to see.

This post was precipitated by a clear mishandling of this type of issue by American Express. I’m sure this wasn’t because American Express didn’t want to deal with the issue, or didn’t want to be secure, they simply lacked the process in place to do so in a timely fashion. They were contacted two days ago via twitter after no direct e-mail could be found. After two days the person who found the issue wrote a blog post about it and submitted the issue to the world.

While two days is a short amount of time to respond to an attacker, but today Niklas Femerstrand (sqnrq) sent this tweet “Thanks! Although I would've preferred handling it behind the scenes as usual.”

Here are some tips on how to make it easy for security researchers to contact you if they have found a security issue.

Make it easy to submit bugs on the website. A simple form or e-mail address will do. Respond to any security issue as fast as possible and absolutely within 24 hours. Setup an auto-responder telling the submitter what they can expect out of the process.

The person that responds to the submission should have enough knowledge about the system to respond intelligently to the researcher. If they aren't the person that will be helping to fix the issue, they should know who that is and be able to get that person in contact with the researcher in hours.

Each person in your company should know what to do if they are contacted by a security researcher in the field with a potential vulnerability. This might be as easy as putting them in touch with a lead on your security team, an architect or a lead developer or tester. You may choose to have a larger number of people handle the process themselves by asking the right questions and being generally responsive to the researcher.

Finally, generally be amicable to the researcher. As I mentioned above they're doing you a favor. It's likely they stumbled across this issue on accident while trying to do something legitimate on your website. Security folks tend to see software differently than most people. Reward programs such as Google’s Security Hall of Fame and rewards system is a great example of this, as is Facebook’s new reward policy. Not all rewards have to be monetary, hardware, software, gift cards or even just a public announcement giving recognition to the research can go a long way toward good will toward your company.

At the end of the day most security researchers want to alert you of the issues they've found, and want to make the world a more secure place. Don't treat researchers like criminals or they will act like criminals. Giving them a clear way of alerting you of new security issues discovered is a great way to get some free security testing.

Topics: application security

Joe Basirico

Written by Joe Basirico