The Challenge of Responsible Disclosure

Responsible disclosure of a cybersecurity flaw is more complicated than a typical whistleblowing scenario. In many whistleblowing situations, unsafe or illegal activities are already ongoing and known (or even condoned) within an organization. By publicizing these activities, the whistleblower is shedding light with the hope of improving safety or stopping a crime. When a cybersecurity flaw is discovered in an application or system, the organization may not be aware of it. Exposing the flaw publicly alerts hackers who may be able to exploit the flaw prior to the availablity of a fix. It is responsible practice to disclose a flaw privately so an organization has time to prepare patches (corrections) or close security holes.

Companies react differently when a cyber vulnerability is discovered by someone who was not their own security researcher or performing a security audit for the company under contract.

Some companies, such as Google, Facebook and Microsoft, offer bug bounties. (Apple does also, but many researchers say the bounty is not high enough.) Third parties, such as security and cyber defense firms, also offer bug bounties which are often even higher than the software publisher's bounty.

Other companies react negatively and charge the person discovering the vulnerability. Here is an example:Man gets threats—not bug bounty—after finding DJI customer data in public view

In November 2014, a hacker approached a journalist at Motherboard and mentioned he had found interesting data on the servers of the toymaker VTech. The hacker shared some of the data with the reporter because "he thought the company 'would never listen' to him, and might even have tried to cover the breach up. Also, judging by the poor level of security he saw on VTech's servers, he was worried others could get access to that data, or had already accessed it." The hacker did not want the data to be made public by someone with malicious intent.

When children are breached—inside the massive VTech hack

Hacked toymaker leaked gigabytes’ worth of kids’ headshots and chat logs

VTech was notified about the breach by Motherboard and after verifying it occurred, made a public announcement.  Later, the British government charged the individual with crimes under the Computer Misuse Act which is similar to the Unites States' Computer Fraud and Abuse Act (CFAA).

Man arrested in toymaker hack that exposed data for millions of kids

These are just a few of the many, many, many examples that show varying reaction by software and system companies.

Consider these scenarios:

Scenario 1) Suppose you are on a computer and using the web front-end for one of your favorite mobile apps. You read that another similar application had an easy to exploit SQL injection vulnerability and you wondered if this web app had the same vulnerability. With a simple cut-and-paste from a blog entry you discover this web site has the vulnerability also.

  • What actions, if any, do you take?

  • Why do you believe that is the correct course of action?

  • How would your actions differ if the web site was for a bank, a social media site, a game FAQ bulletin board or a friend's small business web site where the only web form was a "Contact Us" page to send email?

Scenario 2) Consider a scenario similar to the above, but for this you are an employee in the company, but not in the cybersecurity division or the department that developed the web application. You report the vulnerability to a grateful management that tells you they will address it quickly.

After 30 days, you notice the vulnerability still exists and after following up, you're told that the vulnerability will be fixed, but it's had to wait since the IT staff has been overworked trying to get out a new release. They did not want to rush the fix and possibly break other modules or delay the new release.

  • What actions, if any, do you take?

  • Why do you believe that is the correct course of action?

  • How would your actions differ if the web site was for a bank, a social media site, a game FAQ bulletin board or a friend's small business web site where the only web form was a "Contact Us" page to send email?