As a young and idealistic ethical hacker, I wanted to help fix the online world, to make it a better and more secure place for everyone. Ethical disclosure was one of the ways I thought I could make a difference. After all, having folks willing to investigate your security for free, and then tell you about the issues, seemed like it would be highly beneficial and warmly welcomed. It wasn’t.
Ethical disclose circa 2005-2010 was an absolute horror show. First, it was difficult to find someone to talk to within an organisation. When you did find someone, you would have to clarify what the problem was, explain that you were not attacking them (very important), that this was a friendly ‘head’s up’ and that you wouldn’t be sharing the secrets with anyone. I do not miss the sweaty palms while waiting to see if it was going to be “thanks for info!” or “here’s another lawyer’s letter. Cease & Desist!” It was usually the latter.
At the time, I was baffled by how communications like this could result in such action. It seemed hard to justify when the bad guys were targeting you and not telling you anything, whilst the good guys, the ones pointing out your vulnerabilities, were getting legal threats.
As I’ve matured, I can see the layers of pressure which could generate such a response, but things are getting better. Bug bounty programs have helped a great deal and it’s fantastic to see organisations make better use of the information security community, but they aren’t for everyone.
Even if bug bounties aren’t for you, there is still an opportunity that you can benefit from ethical disclosure and I have seen it done extremely well by several organisations over the years. So, what can you learn from these companies, if you wish to reap the benefits of ethical disclosure?
First, identify a point of contact who will be responsible for inbound disclosures and give them the information they need to effectively triage reports. This could include a risk register (even if it is just on a spreadsheet) and an up-to-date list of assets, showing who is responsible for each asset and how to contact them. You may even want to estimate the value of the assets to your business, thereby allowing the person responsible for triaging to prioritise their efforts.
Secondly, make disclosure contact details visible and create a PGP key to ensure reports can be sent securely. This will give researchers the confidence that reports will be taken seriously and provide them with a direct route by which to disclose their findings.
Thirdly, don’t make legal threats your default position. Draw up a disclosure policy and have this on your website. This will help outline what reporters can expect from you. This can also set out the ground rules for disclosure, especially what you can/cannot be looking in to. If a report is in breach of this policy, then, yes, legal ‘cease and desist’ letters can be used.
Finally, acknowledge reporters where you can. This doesn’t have to be a monetary reward; it can be as simple as acknowledging the reporter on your website. These steps often require minimal effort, but they can be extremely beneficial and it’s a great starting point for improving your cyber maturity.
Article originally published in Computing Security Magazine