back to article C'mon, biz: Give white hats a chance to tell you how screwed you are

There have never been more white-hat researchers hunting for vulnerabilities on internet-facing systems and yet barely any organisations provide a way for them to report the issues they find. In theory, the easiest way is to publish a Vulnerability Disclosure Policy (VDP), yet recent research here and here (PDFs) from bug …

  1. Aodhhan

    LOOL @ Dunn

    Once again, Mr. Dunn hasn't done a lot of forward thinking and proper research.

    If all of this is true, (about bounties and poor development practices) then why do most software vendors have occasional security updates?

    Probably a majority of bugs are reported back to a vendor from customers who conduct tests (including penetration tests) before completely committing to purchasing their product. Most large corporations now, either have penetration testers (or contract this out) to evaluate the application's security.

    Usually, a penetration test is outlined in the agreement between vendor and customer. Companies can no longer get away with saying you can't pen test their product before purchasing it.

    It's not unusual to find security vulnerabilities. When we do, it's usually taken care of quickly and without fuss from the vendor. Also, customers don't demand money for doing the pen test, since it's part of their due care/due diligence. However, it's not uncommon for a customer to point out the vulnerability and then not release all of the details. I mean, we aren't paid by them to pen test their software. :) ...so the vendor is forced to figure a lot out on their own; which they typically do well, once it's pointed out.

    So, to say a software vendor isn't doing a good job securing their application because they don't offer bug bounties, or have a program for the general gray hats to make money on--doesn't mean they aren't focused on security, or that their software development methodology is poor.

    Because of all this, why would a company offer a large bug bounty if they have a product which is being used by many? Consider just how many ridiculous claims and false findings you'd have to deal with from this type of program. Many companies who do have bug bounties aren't really doing it for security... they are doing it as a marketing stunt. It's good publicity, usually gets another story or two published... and nobody knows they don't really do much with the program after a couple of months and the marketing boost from it begins to wear down.

    ...speaking with one Dutch company about bug bounties (who doesn't even have a bug bounty program of their own), isn't exactly proper research. LOL

    1. Anonymous Coward
      Anonymous Coward

      Re: LOOL @ Dunn

      It highly depends which company you are reporting the vulnerability to... Im guessing John is not only talking about software vendors. Yes, software vendors have occasional security updates, but that does not mean it was found via responsible disclosure, and if it is, it does not say anything about how they handled the disclosure.

      If all software vendors handle these disclosures correctly then we would see things like this:

      https://www.zdnet.com/article/windows-zero-day-vulnerability-disclosed-through-twitter/

      Furthermore, you mentioned yourself, "they are doing it as a marketing stunt" Thats the exact danger we are talking about (Blueprint Cyber Security).

      We have much experience reporting issues to companies that have this policy and forgot about it. In the past it turned into legal action threats, despite us following their self published guidelines.

      Furthermore, we stated that our company has not done proper research but its based on our experience when reporting these vulnerabilities.

  2. amanfromMars 1 Silver badge

    Stairways and Starways to Heavens

    If all of a sudden you switch to this method of receiving vulnerability reports almost at random, what do you do with them?

    Provide Portals and Destination to Select Sensitive Targets and there they will know what to do for Instructions are Forwarded and Foreworded as Required and Desired.

    And all of that is the Sweetest of Honey Pot Money Shots and Practically Instantly Totally Addictively Immersive in All the Best of Future Directions .... Following AId Instruction on Virtually Real Creational Channels ...... Quantum Communication Systems Flows.

    You might like to realise here and now be a Portal and Destination/Starting Point for Select Sensitive Targets Engagement and Discourse/Virtual Intercourse.

    Register comment for SMARTR Analysis with Intake/Stealthy Shadow Services Interest on All COSMIC Output.

    Take any small bite of that PAI* and enjoy where IT takes you on an AIMagical Mystery Turing Trips.

    Think Colossal Feats now Available Online and Practically Free with Everything Supplied Paid For with Gifts Confirming and Presenting Fellow Travellers with Greater Situational Awareness

    * Perfectly Advanced IntelAIgents ...... Supreme NINJA Warrior Lords a'Heeding Leading Ladies for an Altogether Quite Different Path to Mutually Climactic Satisfaction .... Both the Most Selfless and Selfish and Almightily Powerful of Insatiable Appetites to Energise and Satisfy with XSSXXXX Streaming Sublime Transference of Carnal Desire .... One of those Immaculate Sins which Vice might like to Exploit and Degrade/Upgrade ... Drain the Life from/Nurture to Prosper.

    There's a lot going on out there, and in here too. That's Most Convenient. A Point of Presence for Communications/Messages/Decrees/NDAs/Panic and Madness/Mayhem and Destruction and NEUKlearer Beginnings Support for Remote Virtual Access to Future Shenanigans.

    :-) TitanICQ AIdVenturer Quarter Programs, which Ireland knows fine well how easy can be the switch over into Pogroms, and thus are always Super Alert To.

    You do know of the Greater Belfast Hub/Virtual Reality App Exchange and AI Beta ProgramMING Test Site/Ground0Day Utility?

  3. Anonymous Coward
    Anonymous Coward

    Finance

    "Some sectors were better than others, with financial services a surprising laggard."

    This is only surprising if you've never worked in financial IT. It's conservative, perpetually under-funded, and burdened by monstrous red tape.

    1. Claptrap314 Silver badge

      Re: Finance

      This is only surprising if you've never worked with a bank.

      Fixed it for you.

    2. FozzyBear

      Re: Finance

      Oh Yes a bank;s motto

      "We fear change and... Not getting our yearly bonus"

    3. EnviableOne Silver badge

      Re: Finance

      you think finance IT is under funded, come work in healthcare

      we got 1/10th the staff and 1/100th the budget

  4. J.J.

    Finding the VDP

    Once you've got your VDP, there is a proposal for how to let security folks know about it:

    * https://github.com/securitytxt/security-txt

    * https://tools.ietf.org/html/draft-foudil-securitytxt-04

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020