Ethical hackers report vulnerabilities as a result of an active search (through a so-called 'researcher program') or when accidentally discovered as a user of an online environment that provides a responsible disclosure policy to report vulnerabilities.
But then what? How to respond to reports that come in and how to communicate with ethical hackers?
The first step is to send a confirmation message to the hacker. The time between the report of the vulnerability and the confirmation message differs. The government generally takes three working days. Zerocopter and other companies like Netflix and Github promise to respond as quickly as possible.
We would advise you to mention your average response time in the responsible disclosure policy.
Fix the problem
From the moment the vulnerability is reported, the clock starts ticking. Although the ethical hacker will not publicly disclose the vulnerability, it is also visible to others. In general you have 60 days to process the report and resolve the vulnerability. Hardware problems are usually harder to solve, therefor a standard of 6 months is default.
To solve the problem, it is important to bring the reporter and your own IT team in contact with each other. The reporter knows exactly how to find the vulnerability and your own employees know the online environment best and have the know how to solve it.
While solving the problem, it is important to actively involve the reporter in finding the right solution. Working towards a satisfactory solution as a team increases the chance that the ethical hackers wants to help you in the future.
Recommended when sending attachments to and from the reporter is to encrypt them. That's the only way to make sure nobody else will get to know about your existing security vulnerability. Recommended is to work with a PGP encryption and put the so-called public PGP key online. This allows people to send you encrypted files and access encrypted files from others (you need your own key combined with your password).
Reporting obligation in the Netherlands
Since January 1st 2016, there is a legal reporting obligation in the Netherlands. This means that organizations must immediately report to the ‘Autoriteit persoonsgegevens’ (the national authority of personal data) when there is a serious data breach. And in some cases an organisation also has to report the data breach to those involved (the people whose personal data leaked).
The national authority has conducted a set of policies for reporting lost data sets. These policies are intended to help organizations determine whether there is a situation that they must report to the authority and to those involved. Organizations wishing to report a data breach to the authority can do so through the registration point.