Security Innovation strongly stands behind our corporate policy of Responsible Disclosure, which I’ve written about before. Building upon that, I feel that it’s important to accept and encourage Security Researchers to test your software and report the vulnerabilities they find in a responsible way.
Security Researchers help to push the state of security forward. Their research helps us understand what is possible and what is emerging in the security landscape. Without Security Researchers we may very well still be discussing whether or not basic stack based buffer overflows are possible like we did in '96.
Security Researchers frequently give their time and efforts away in exchange for the knowledge that they’re helping end users to have a more secure software experience. It’s troublesome that end users have to worry that their information may be stolen by an online hacker. Additionally, they have to rely on blind faith that their technology vendors to are conducting proper due diligence as it pertains to application security testing, awareness training, and validation – when often they are not.
Bug bounty programs are a great way to extend an olive branch to Security Researchers, but of course it is not the main driver for research to take place. If you think the idea of a free t-shirt or a few hundred dollars is the incentive for a Security Researcher to spend their nights and weekends for three months tracking down an elusive RCE vulnerability you’ll be surprised.
Bug bounty programs are a great sign there is a caring team on the other end of that security@ email address that wants to build secure software, and it’s reasonably likely you’re not going to get sued for your trouble.
There’s a passion in the community and a desire to help all customers and end users.
Being responsive to these Security Researchers when they give you free vulnerability information is good policy and is well worth your time. Even if it means assigning one of your own engineers to slog through a few false positives and already known issues to triage the findings and reach out to the researcher for clarification.
Disallowing Security Researchers to Reverse Engineer or attack your software will decrease the number of anonymously reported vulnerabilities and it certainly won’t protect your users from vulnerabilities. Software will have the same issues, it’s just that you won’t know about them and your users just won’t be able to protect against them. Fewer researchers will want to spend their time finding and reporting issues to a non-cooperative organization, in the end this results in nothing but a disservice to the end user.