Categories
Tech

Where is your responsible disclosure page?

I want to start by saying that this article is not only for security professionals. If you have the power to influence positive change at your organisation then this article is for you. With that said, let’s begin…

Take a minute to visit your corporate website and look for a “security” or “responsible disclosure” page or link. Go on, do it now and continue reading after you’ve had a look.



Don’t see one? Maybe you have one but it’s obscured and requires a little bit of clicking and button pressing. If so, keep reading…

But why?

First, let’s start with the why. If a member of the public finds a security or privacy issue (regardless of whether it’s a security researcher or someone innocuously using your website or mobile app) you should make it as easy and as quick as possible for them to report an issue to an appropriate person or team within your organisation.

If you don’t, the best case is that you don’t find out about a potentially serious vulnerability that could be addressed before it is abused by criminals.
The worst case is that you don’t find out about an issue which then gets abused by criminals and you only find out about it from the Daily Mail after you’ve been hacked.

Don’t make it difficult for people to report security or privacy issues to you. No one should have to sit through a chat bot on your website, hunt around for someone in your security team on LinkedIn (or your CTO/CEO if you don’t have anyone in security – I’ve personally had to do this on a number of occasions) or guess if their report should go to security@, support@, contact@, privacy@, etc – if those addresses even exist!

Okay, how can I make it easy to report issues?

It’s actually not that difficult:

  • Put a “Security” or “Responsible Disclosure” link on your home page. It doesn’t need to be the first thing you see. Put it in the footer where almost everyone expects to see other meta links like “About”, “Contact” and “Careers”.

    Your responsible disclosure page should make it super clear how members of the public should reach you. You can choose how detailed you want it to be; it can be as simple as a few lines or you can make it a bit longer and include a few more details like what things the reporter should include in their report.

    Believe it or not, by doing this one simple thing, you’ll be doing better than most other organisations out there when it comes to responsible disclosure.

  • Secondly, look at adding a security.txt file to your website. This one is geared more towards security researchers and automated tooling than it is to members of the public; it’s worth doing after you’ve tackled the first point above (members of the public won’t know, nor should they need to know about the ironically named .well-known directory on your website).

Conclusion

If you’ve read this far, I hope you can appreciate how simple it can be to keep your organisation and customers safe by making it easy for people to report security and privacy issues.

If you’re concerned you’ll be opening yourself up to a tsunami of security vulnerability reports then I can say that from personal experience, I only ever see a handful of reports every couple of years.

Oh and one final thing I should mention because I didn’t explicitly call it out – you need someone appropriate (ideally a team distribution group or similar) to actually be on the other side of the responsible disclosure process. It’s all for nothing if no-one is looking at the reports that come through.