10

What are approaches to forming solid relationships with security researchers?

For example, is publishing a public PGP key on the "contact us" page of a company's website for high levels of risk related to security standard practice?

blunders
  • 5,052
  • 4
  • 28
  • 45

2 Answers2

11

Here are several steps you could take to encourage security researchers to disclose vulnerabilities to you:

  • Waive liability. Promise not to sue researchers who disclose vulnerabilities to you in a responsible fashion. Currently, many researchers report worrying that reporting a vulnerability to a company could get them sued, and so sometimes they just don't report vulnerabilities they find. By prominently and publicly committing not to do that, you can help security researchers feel more comfortable contacting you. See here, here, here, here, here, here, and here.

  • Thank the researchers. Publicly and prominently acknowledge the researchers who have reported vulnerabilities to you, in vulnerability announcements and other forums. Many researchers who report vulnerabilities do so out of a sense of responsibility and service to the community, and the only quid pro quo is possibly some public acknowledgement. A policy of publicly acknowledging reporters costs nothing, and encourages others to report in the future.

  • Establish a security reporting address. Clearly indicate how to report security vulnerabilities to your team. (You'd be surprised by how many places don't take this simple step.)

  • Act promptly on bug reports. When a security problem is reported, act on it within a reasonable time frame. If researchers report a bug to you and you take no action, or you drag your feet, then researchers may get fed up with you, say "to heck with it", and stop reporting vulnerabilities to you (e.g., instead just releasing them publicly). To pick one recent example, look at how Yelp responded to a report of a security problem with their mobile site; that's an exemplary, outstanding response.

  • Pay for bug reports. Establish a bounty program that will provide payment to those who first report a serious security problem to you (if it has not been previously or simultaneously disclosed in public).

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    Good incident handling will turn out to be good for your business too. Everybody can be affected by a security issue (sometimes only due to third party software). But those who openly share their findings and show a coordinated process in dealing with security flaws will earn the users' trust. Brushing things like that under the carpet makes it only more embarrassing, once people find out ;) – freddyb Nov 20 '11 at 03:51
3

You can't form good relationship with security researchers.

The first problem is within your own company. When they report a bug, employees in your company go into a denialism phase, trying to prove it's not a bug. It doesn't matter how you feel, even if you are the CEO. One reason for this is that indeed, most vulns reported by security researchers are bogus. You have to sift out the valid vulns from a large number of invalid vulns.

The second problem is that most researchers who report vulns aren't interested in a "solid relationship". They will twist the vuln and your response to it in such a way to prove that you are a bad, stupid company.

The two most important things are first, that you use a standard email address ("security@example.com") that they can submit vulnerability information to, that has a responsible person on the other end that will respond within one business day. The second thing is that your train tech support so that when they get a report of a security vuln, that they don't demand that the person be a customer. (That's the most common problem: a researcher calls tech support and reports the vuln, then tech support ignores them because they aren't a customer).

Beyond that, expect that vuln reports will end badly.

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14