Responsible disclosure in cyber security
I set this blog up as an outlet for some of my findings and experiments. I’ve been fiddling with security for years, finding numerous problems in apps and software all over the internet. But during this whole time, I’ve actually paid my bills and lived by running a business software development company.
To allow me to publish research here, including vulnerabilities that I’ve uneartherd, I first wanted to make clear what responsible disclosure means to me.
How do security researchers get paid?
Genuine white hat security researchers struggle to find the right balance between paying the bills and being a good internet citizen.
I’m going to assume here that we’re talking about nice people, with a decent level of honesty and integrity. In reality, security researchers are scattered throughout a moral spectrum with mixed motivations for their work. However, there is a universal motivator that spans all human beings, money.
To have a feasible career as a security researcher, you need to be able to make it pay. There are a few obvious routes to achieving this:
Option 1: The celebrity
Build a good reputation and respect amongst your peers and get invitations to speak, write articles and be interviewed. Along with this, you’ll be able to choose from an endless supply of companies wanting to engage in your services.
The pros to this method are obvious, but the road to the top is a seriously long and winding one. You need to not only be able to demonstrate your skills as a fantastic ‘hacker’ but also be able to conduct yourself with some serious integrity, even if that occasionally diverts money away from your wallet.
Option 2: Pen testing and consultancy
You can take the orthodox route to being successful and sell your services to other businesses.
This is a commendable route to making security research pay. It’s competitive and so takes some serious grafting to provide a good service to your customers whilst staying ahead of the competition.
But is it exciting enough? Can you really call it research?
Option 3: Bug bounties
Bug bounty programs are becoming increasingly popular and lucrative. These buckets of cash are being chased by everyone from professional hackers to equally competent school kids.
If you’ve got the skill and speed, they can pay out some serious cash. In some cases, these programs restrict the way that you can release information on your findings to the media, if you want to get paid that is.
Option 4: Going rogue
The bugs are out there, there’s data pouring out of organisations that should know better. Identifying problems and reporting them responsibly in the hope that you’ll gain some credit for your hard work is a valid approach.
Ideally, the company will be so impressed they want you to work with them on an ongoing basis, along with a reward for your efforts. However, in the worse cases, you could end up incarcerated.
The world needs security researchers
I’m of the strong opinion the world needs creative security researchers. Not just monotonous penetration testers but people that really think out of the box to find vulnerabilities that otherwise would eventually become a revenue stream for black hat baddies. We need people that aren’t criminals to test how our data is being protected by its various custodians.
And if we need creative security researchers, then they need to be able to earn a living doing it. Not decide to just stick to software development through fear of prosecution or legal battles with global entities.
And yes, for the greater good, this occasionally this might mean technically performing actions that owners of systems and servers might prefer you didn’t.
To demonstrate your good intentions, all you should need to do is responsibly disclose your findings to the owners of the systems affected.
The process of responsible disclosure
To build a process for responsibly disclosing my findings I wrote some goals that any such process must satisfy:
- To act in the interest of those individuals and businesses who’s data has been exposed
- To neuter the vulnerability in a timely fashion
- To notify any effected parties where the vulnerability represents a risk to their immediate or future privacy
- To not accept any remuneration in exchange for not completing these goals
My process is simple, upon finding anything, intentionally or otherwise I follow the same steps:
1. Properly assess the implications of the find
What data is leaking and how serious could it be? This is not to be confused with how easy it is to exploit, I only care about the implications of the exploit being leveraged by criminals and not how skilled they might be or how long it might take them. Assuming there is a risk to any company or individual I move on to step two.
2. Report your findings to those responsible for the data and/or affected systems.
This includes explaining your findings with replicable examples. I also reiterate that my number one priority is to fix the vulnerability and therefore protect their data and that of their customers. I don’t hide my identity and encourage them to get in touch with me.
3. Follow up
Ideally, by this stage, I’m engaged in conversation with the business(es) involved, perhaps they’ve employed me to take a broader look across their network.
If I don’t hear anything back, I follow-up with a reminder and ask when the issue will be resolved. Often, issues are mysteriously fixed without any further communication with me, this is their prerogative and I consider the vulnerability fixed.
If I still don’t hear back. This becomes a major factor in my decisions during step 4.
4. Public disclosure
The final step is public disclosure, this isn’t always in anyone’s interest or even legally possible.
Often, it’s in my interest to publically disclose my findings, after all, I want the peer kudos for my find. Occasionally I feel it’s in the interest of those individuals that have had data exposed. For example, users may need to be aware that their passwords need to change (should they use them anywhere else).
Needless to say, any disclosure is going to be better with the cooperation of the owner of the faulty systems and in my experiences business are keen to take responsibility to protect their users. In some cases, the businesses concerned prefer to disclose information to their users themselves, publically or privately. Inline with my initial goals of disclosure, I accept this as a valid route to completing the process.
Importantly, I will never disclose anything publically to purely serve my own interests.