Responsible Disclosure – that’s the principle ethical hackers follow when they discover a security breach within a company. In this blog post we will clarify what responsible disclosure is. We will also explain why companies should specifically look out for and use this information – and provide initial tips on how to do so.
What is Responsible Disclosure?
Responsible Disclosure is about disclosing newly discovered security vulnerabilities. Fortunately, there are independent ethical hackers who check websites, programs, apps and similar for security vulnerabilities. Not to exploit them criminally. But to help the affected parties to close these gaps.
Typically, ethical hackers report the vulnerability to the company whose program, website or app is affected. They provide the company with a reasonable amount of time to close the gap. Only then do they inform the public about it. The goal of this approach is to prevent cybercriminals from exploiting the vulnerabilities.
Good to know: Alternatively, Responsible Disclosure is also known as Coordinated Disclosure – because the companies and ethical hackers coordinate their actions.
Who or what are ethical hackers?
Right off the bat, ethical hackers are not a unified group. What they do have in common, however: They have tremendous computer expertise and practice a certain hacking ethic. Sometimes their own individual ones. Or, for example, the hacker ethics of the Chaos Computer Club. One of their principles is “Use public data, protect private data.” Many security breaches jeopardize the protection of private data. Therefore, ethical hackers often feel responsible to ensure that such security gaps are closed.
What is the difference between Responsible Disclosure and Full Disclosure?
What responsible disclosure of newly discovered security vulnerabilities looks like is not always clear. Many companies are happy to receive accurate tips from ethical hackers and make efforts to close the discovered vulnerabilities.
However, there are also companies that remain permanently inactive. In such cases, ethical hackers may opt for Full Disclosure. Then they release the vulnerability to the public – even though it has not yet been closed. This decision is double-edged. On the one hand, it also lets cybercriminals know about the security gap that has not yet been closed. On the other hand, the publication usually leads to massive pressure on the company in question to close this gap as quickly as possible.
Important to know: Cybercriminals specifically look for security gaps to exploit them for their own purposes. Therefore, ethical hackers often also have to weigh the probability that a security gap they have found is already known to at least some cybercriminals.
Responsible Disclosure from a corporate perspective
More and more companies are making efforts to facilitate Responsible Disclosure for ethical hackers. For example, by setting up a dedicated email address for such notices or providing them with a form.
In some cases they are also providing ethical hackers with information on what types of security breaches are relevant to them and how they handle reporting. These efforts happen because companies are benefiting from the unsolicited expertise of ethical hackers.
A tricky issue: the topic of criminal charges
When finding security vulnerabilities, ethical hackers can technically face criminal charges. For example, if they discover that personal data is publicly available due to a security vulnerability – and inevitably go through some of the data upon the discovery.
Typically, companies do not report ethical hackers in such cases. However, a major German party did so after it was notified of several security vulnerabilities in one of its apps. As a result, Europe’s largest hacker association – the Chaos Computer Club – announced that it would no longer report security vulnerabilities to this party in the future.
How to facilitate a Responsible Disclosure for your company
Security breaches can cause serious damage to your business. Therefore, facilitate ethical hackers to report their findings based on the principle of a Responsible Disclosure.
Consider with the appropriate professionals or departments how you want to – and can – handle vulnerability reporting.
- Set up a dedicated email address for Responsible Disclosure notices, such as firstname.lastname@example.org
- Set up a reporting form to enable detailed information.
- Make the contact details and, if necessary, further information available on your website, e.g. at www.example.de/security.
- Communicate there, among other things, the expected timeframes for responses to reports and for closing reported vulnerabilities.
Important: If your preparations are rewarded by a report, respond to it professionally, transparently, and appreciatively. This is because you will benefit from sought-after expertise.
Some examples of how other organizations handle Responsible Disclosure:
- German Armed Forces
- A TV station
- A furniture store
For more helpful information, see the BSI document “Handling vulnerabilities. Recommendations for manufacturers”.
Last but not least: Knowledge is money, even in the case of security vulnerabilities
Typically, ethical hackers report security breaches without charging money. This makes it all the more important to be aware of the value of this information. Hiring ethical hackers for targeted security testing is not cheap. That’s why many large companies offer rewards for reported security vulnerabilities.
So should you also pay a finder’s fee for reported security breaches? That’s ultimately up to you to decide. Finding and responsibly, constructively reporting security vulnerabilities can cost ethical hackers a lot of time and effort – and save you a lot of trouble. We therefore recommend expressing your thanks and appreciation depending on your company’s capabilities. Perhaps in the form of a bonus or through particularly popular giveaways or free products. The best way to do this is in a way that you yourself would like to see rewarded.
If you have further questions on the subject of Responsible Disclosure or would like support in enabling or processing such reports, simply contact us.