Thursday, July 19, 2007

Security Reporting Policies That Encourage Responsible Disclosure?

I was reading Jeremiah's piece recently about the CSI working group he was on dealing with liability for security researchers, especially those working in the web application space. It got me thinking about creating disclosure policies that serve several purposes:
  • Encourage Responsible Disclosure (subject to interpretation)
  • Provide clear expectations and ground rules
  • Protect researchers who disclose responsibly - ie. waive liability for researchers that follow the predefined rules
I'm working to contact a few of the people involved in the CSI report to find examples of disclosure policies that achieve the above goals. In my mind I'd want the policy to have roughly these items:

  1. Tell the company first about vulnerabilities
  2. Don't sell the vulnerability or otherwise distribute it until hearing back from the company
  3. Don't exploit the vulnerability other than necessary to demonstrate the weakness.
    1. Example: If there is an authorization issue, use two of your own accounts, don't break-in to someone else's.
  4. Do these things, and we guarantee we won't go after you for doing vulnerability research on our site.
  5. If you're helpful, we'll try to run a thank-you page listing you. We don't however pay for vulnerabilities.
If you have pointers of good disclosure/reporting policies I'd love the pointer. I looked at a number of the major providers and I didn't see any policies that really hit this one on the head.

  • Overall, good page
  • Doesn't include waiver for the researcher
  • Doesn't mention responsible disclosure
  • Doesn't include waiver for researcher
  • I couldn't really find their security reporting page/info.
  • points to a really odd place
  • Not much in the way of reporting a security vulnerability
  • No waiver of liability

No comments: