One of the ways to improve the security of your website and data is by placing a responsible disclosure policy on your website. In this blog we explain how it works.
With a responsible disclosure policy you ask others to report any vulnerabilities found on your website. In the document that you put online you say "report the vulnerabilities that you can find, as long as you abide by the following rules." You never want anyone else to know more about your security then you know, right?
The advantage of the agreement is that there are multiple parties, each with their own specialization, that can take a look at your security. A responsible disclosure policy gives the good guys an incentive to report vulnerabilities. Good guys will only report vulnerabilities these days if you have a good responsible disclosure policy. Not because they don’t want to, but just because of possible legal consequences.
With responsible disclosure policy you offer the good guys a “gentlemen's agreement”, where you won’t take any legal action as long as the reporter stays within the boundaries you’ve set.
The hackers with bad intentions do not benefit from the responsible disclosure policy. It works like this: you create conditions to which well-intentioned hackers must abide by. You'll say that if they abide you will not take legal action against them. If they do not abide you are therefore free to go to the police.
There are three different ways how someone can deal with a discovered vulnerability: full disclosure, non-disclosure and responsible disclosure.
In full disclosure the person that finds a vulnerability on your site will make it directly know to the world that there is a leak in your security. In a non-disclosure the opposite happens, someone finds a leak in your security and will keep it to themselves.
The disadvantages of the non- and full-disclosure are obvious. As you are not made aware of a vulnerability in your security (non-disclosure) you can not fix them. If a hacker with bad intentions finds out before you, he or she can break in. Thus the users of your website will eventually be the victim.
By bringing a vulnerability directly into the open you create a situation in which your website visitor is vulnerable. After all, it can take a few hours, days, weeks or even months before the security leak is fixed. In the meantime, any hacker can break in with malicious intent.
Responsible disclosure is the middle ground. The hacker discloses that there is a vulnerability to the company or organization. Therefore the company gets the time, whether or not together with the reporter, to fix the vulnerability. This way the vulnerability will remain secret until it is dissolved at the affected site and the rest of the hackers may still learn from it.
Responsible disclosure policies should be mandatory for every company. A responsible disclosure policy will provide researchers/hackers, either attached or not attached to Zerocopter, to report a vulnerability found in a system.
Written by Zerocopter
February 23, 2017