How to encourage responsible disclosure (and react appropriately otherwise)

Question

As a conscientious programmer, I put security as one of the core requirements of every product I develop. To prevent flaws from being introduced, I promote a culture of awareness (e.g. make sure that team members I work with know about common vulnerability types), keep myself updated by regularly reading specialized sites (e.g. The H Security or Dan Kaminsky's blog), watch out for common mistakes (and discuss them if necessary) while performing code reviews.

However, we all know that, by Murphy's Law, a security bug will appear (sooner or later). My (closely related questions) are:

1. How can I promote responsible disclosure of security vulnerabilities found by researchers? That is, how can I encourage them to collaborate jointly with me, not releasing details until a fix is prepared, while simultaneously ensuring they feel they are respected for their hard work and they get the credit they deserve?
2. In case someone takes the full disclosure route, how can I react (be alerted of the vulnerability as soon as possible and then take appropriate mitigation measures) in the most timely and effective way?

At the moment, I've thought about:

• making sure a security contact is clearly listed on my website
• using CVE Details to get a feed for my products if they get published there
• following security mailing lists as well (see this IT Security answer)
• ensuring patches are prepared quickly
• constantly communicating with the bug reporter(s), updating them as progress is being made
• publicly crediting the researcher(s) for her/their discovery
• allowing full disclosure some time after the patches are published (to allow affected clients to install them)

(I'm part of a small team in a sort of startup, therefore my course of action is not limited by managerial issues. Nevertheless, I still think that any advice you'll provide can be applied to other situations as well.)

Answer 1

How can I promote responsible disclosure of security vulnerabilities found by researchers? That is, how can I encourage them to collaborate jointly with me, not releasing details until a fix is prepared, while simultaneously ensuring they feel they are respected for their hard work and they get the credit they deserve?

I think you are on the right track so far with this point. The most important thing is to have an easy way for security researchers to contact you about security flaws. Keeping them involved in the process of fixing the bug is just being polite. If the bug is serious enough and you are able to afford it (which might not apply to you since you are a startup, offer the researchers a bug bounty for their efforts).

The worst thing you can do is be rude to the researchers and ignore their efforts to work with you on fixing the bugs. See this very hilarious case.

In case someone takes the full disclosure route, how can I react (be alerted of the vulnerability as soon as possible and then take appropriate mitigation measures) in the most timely and effective way?

You are also on the right track for this. I don't think there is a more effective method of discovering full disclosures about your software's vulnerabilities besides monitoring the various vulnerability databases available. You might want to look into subscribing to the feeds that such databases push out and use a regex filter to sort through irrelevant information.

If someone does something like this, I'd say the most important thing you should do is keep your customers informed. You might feel that this would negatively impact your reputation, but trust me, it would be a lot worse if your customers get hacked as a result of your software.

Keep them updated on the progress of the fix. If a timely fix is not possible, suggest alternative methods of mitigating the damage.