Sunday, September 16, 2007

Why Don't Financial Institutions Have Vulnerability Reporting Policies Online?

You may remember I did a bit on vulnerability reporting policies a little while ago. I was interested in crafting a vulnerability disclosure policy that was responsible both for the company posting it, security researchers, but also took into account the liability issues surrounding security researchers testing web applications.

In my previous piece I pulled together a quick summary of the public-facing security reporting policies (or lack thereof) for a number of big sites on the web. Recently I started doing the same for financial institutions. I tried finding disclosure policies online for major financial institutions such as Citibank, Wells Fargo, Washington Mutual, Chase, Fidelity, etc. I was unable to find a externally accessible security reporting/disclosure policy for any of the major financial institutions I looked at.

Why is that?
  • Fear that a disclosure policy makes it look like they could have a security issue?
  • Worried about too many people contacting them about bogus issues?
  • They don't want to be the first to publish one?
I'm not suggesting that everyone ought to follow the RSPolicy but maybe they ought to have something online rather than nothing?

1 comment:

shrdlu said...

I'm guessing it's one of those things that Legal departments don't want the company to commit to. It's kind of like putting up a sign saying, "When we screw up, here's what we plan to do," and anything that starts with "When we screw up" translates into "Please sue us." Some kinds of public statements are just asking for trouble.