Getting started with a responsible disclosure policy
| Sieuwert van Otterloo |
A responsible disclosure policy allows people to test the security of your IT. It is a highly recommended security measure for larger organisations: it gives more insight, reduces incidents and helps find security talent.
What is responsible disclosure?
Many hackers are simply enthusiasts that like to test security. They have no intention of hurting companies, but just want to test their skills and intelligence against real world systems. In most countries however, breaking into computer systems is illegal (trespassing or “computervredebreuk”), just like it is illegal to breaking into houses. The fact that you do not steal anything makes no difference. The fact that testing out security is illegal has made many hackers hesitant to come forward with information. They face the risk of prosecution if they report any important bugs they have found.
With a responsible disclosure policy, companies promise to not press charges against any hackers that disclose information in a responsible way. The policy thus gives explicit permission to security enthusiasts to test the IT security and cyber resilience of a company. Hackers get the opportunity to learn from real world systems. Companies with a responsible disclosure policy learn about weaknesses faster and earlier and gain a lot in security.
Bug bounty programs
Some companies also offer rewards, so-called bug bounties, for serious weaknesses that are reported. Some security specialists are allegedly making a living from the bounties they collect and some companies probably take pride in the low number of bounties collected. We are not against modest bounties, but we would like to stress that bounties can distract from the real importance of responsible disclosure policies: to make it possible to report information without fear of prosecution. The bounties (cash or gift cards) should be a nice extra.
The main disadvantage of a responsible disclosure policy is that if you announce a policy, you need to have security staff to review all information sent in by hackers. If your company has a chief security officer and security-aware IT staff, this should not be a problem. If you do not have the capacity, it is probably better to first train staff and improve security with other measures before announcing a responsible disclosure policy.
Responsible disclosure policy examples
The Dutch National Cyber Security Center has published a guidance document with useful pointers. Since an RD policy is usually public, one can find examples on the web. The Dutch examples we could find are here: bol.com, Staatsloterij, Rabobank, ING, ABN-Amro, Philips, Marktplaats. We would like to hear additional examples from you.
The up and coming startup Hackerone offers an automated platform for bug bounty programs. They also published detailed guidelines. On their website one can see many examples of companies with a responsible disclosure policy and a bug bounty program, such as Yahoo, Adobe, Twitter, Airbnb.
How ICT Institute can help
If you have already invested in other security methods, we can help you draft a policy and conduct a review. This should only take a few hours. If you also have other security questions, give us a call and we can help you create and execute a complete security plan covering all important measures.
Image: carlos alberto teixeira, pixabay creative commons
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.