14 DAY TRIAL // As many businesses seem to encounter difficulties with running a proper program for reporting security issues, researchers released a set of guidelines to clear some of the mist and create an efficient framework for disclosing security issues.
The guide, posted by the BugCrowd team, points out right from the start that all members of the business who can contribute to eliminating a reported security issue need to be aware of the existence of the bug-hunting program and its policy.
One important aspect is that the team needs to know that the outside help for improving the security of the company/product is free of charge, and all reports should be met by respectful communication.
Also, the entire process, from answering a submission to the response in the case of a critical issue, needs to be clearly traced.
In order to make the program efficient is necessary to define from the beginning what a security issue means for the company and to set boundaries for public research.
This is also beneficial in the communication with the researchers providing the bug information, so that all reports are within the scope of the program.
With the foundation of the program properly set up, businesses need to make publicly available the policy and the purpose of the program.
“Your policy should be made publicly available on a security-focused page on your public website. This page will become a resource for all visitors interested in how you protect their data,” writes BugCrowd engineer Drew Sing in the guideline.
Responsiveness and acknowledging the receipt of any submission, along with defining a period for offering an answer, are important aspects. Those communicating the vulnerabilities need to be informed if the flaw has been validated or not, and they must be provided with a timeline for the release of a fix.
Offering explanations for the decisions made is also an important aspect, since the vision of the business is generally different from that of someone outside the company.
Communicating as if in public view and logging the message exchange are always a good idea, since in some cases, the response to the researcher could be published and sometimes the business needs to defend its actions.
Since fixing a security issue has been achieved with outside help, acknowledging the merits of the researcher is a nice way to say “thank you,” more so if no financial award is given.
However, crucial in a bug-hunting program is the company’s response time with a fix to the security problem; the shorter, the better.
Of course, involving a larger crowd can always be done by awarding money prizes for the more important vulnerabilities. After all, this would be an investment in the company, with an incredible return.