From personal experience many years ago I know the frustration of discovering a security vulnerability in a website, wanting to warn the site owners, but being unable to find a responsive contact to accept the information. However I also know, from even longer ago, what it’s like to be a sysadmin told by a stranger that my precious computer has a bug in it that I urgently need to fix. They no doubt thought they were helping me, but it was awfully tempting to shoot the messenger! I was therefore particularly interested in a presentation of the Netherlands’ national Responsible Disclosure Guidelines, which try to help both sides in this discussion by establishing some basic ground rules likely to lead to an outcome that benefits both parties.
Having spoken to a wide range of vulnerability researchers, organisations, lawyers, journalists and law enforcement agencies, the Guidelines’ authors identified the key points as establishing and maintaining effective communications, and ensuring that the expectations of both parties are aligned. Thus by adopting the Guidelines, organisations agree that they will act on reports of security issues in a timely fashion (letting the reporter know if normal timescales need to be extended), reporters agree that they will do no more than is needed to identify and accurately describe the problem. Reporters shouldn’t feel they need to actually exploit a system in order to provide “proof” before they will be believed. Organisations need to provide and advertise points of contact – helpdesks and telephone switchboards probably aren’t good places to have these discussions – and neither side should use threats, whether of arrest or blackmail, as part of their negotiating strategy. Organisations are, after all, being offered a very cost-effective penetration test; many reporters will be satisfied to know that they have improved security and delighted to be offered a T-shirt, trophy or site visit (all have been used as rewards by organisations participating in the Dutch scheme) as a thank you.
The proof of any such scheme is in take-up – I was reminded over Twitter of a long-expired attempt to develop a responsible disclosure RFC. The Dutch scheme seems to be doing well on this measure, with a much wider range of organisations than expected participating – some developing new internal structures and systems to implement the Guidelines – and even examples of journalists following the process rather than immediately publishing when they receive tip-offs from vulnerability finders who wish to remain anonymous.