Vulnerabilities and misconfigured systems are common examples why a company would obtain a spot in the news headlines. While some big companies are showing off their bounty programs, others provide their security insights by means of a responsible security disclosure. Is your company proactive for ethical hackers by providing a responsible disclosure?
Responsible Disclosure Goal
The main goal for a responsible disclosure is providing a means for disclosers, to report a discovered security issue. It’s in the form of a published document, usually available on the website of the company. The document or web page will provide the playground rules of the disclosure, including the method to provide the details and the related expectations and responsibilities for both parties.
Even though a process might be in place to report security issues, the discloser is never exempted of any legal rules. When one would commit a crime to find a vulnerability and report it, this person is still considered a criminal and might be prosecuted according the applicable law.
Responsible Disclosure Guidelines
A first step in getting a clear disclosure, is providing clear ownership of the assets. This might be the website or systems to use for reporting a disclosure. Secondly the company provides several key elements in the published document on how it will deal with a disclosure, like:
- Method of sending the disclosure (manually, automated, format)
- The disclosure to other parties (e.g. external CERT or CSIRT)
- Acknowledgement of receiving the disclosure
- Expected time to deal with the provided information and expectations
- How it will publish the disclosure and to whom
- If credits will be published
- If anonymously disclosures are possible
Since both parties are responsible for a decent follow-up, it’s good to have clear expectation set upfront. This includes the timeline on how long the company can take to do internal analysis, the confirmation of the existence of the vulnerability and how it will inform the discloser.
The discloser has to be ethical in its activities, like providing the methods used to obtain the vulnerability and give the company a decent amount of time to analysis, fix and report. Additionally sharing information and expectation about the follow-up, after the disclosure it made publicly.
If you are responsible for this particular policy document, consider the method people might use to find the document. Having the document available in a visible link, like on a contact page, or easy searchable via an embedded or external search engine. This way disclosing parties can find the document and inform your company about the leak or vulnerability.