Week 2 Homework
Responsible Disclosure, what is it?
A responsible disclosure or vulnerability disclosure policy is in essence, a guideline that ethical hackers can use to submit vulnerabilities that they may find. According to HackerOne, a US based bug bounty platform, a vulnerability disclosure policy should generally consists of 5 key elements:
Promise - an explanation of why the vulnerability disclosure policy is being created, why the policy is important and what it is expected to accomplish.
Scope - directed_ at hackers, specifies which assets, products and vulnerabilities are fair game and which are considered off limits. Also may outline which vulnerability types are worthy of reward.
“Safe Harbour” - an assurance that reporters of good faith will not be legally prosecuted, really important, some hackers won’t even touch a program without safe harbour.
Process - instructions on how to report the vulnerabilities found and what information is requested in the report.
Preferences - document that sets expectations for report evaluation, can include expected duration between submission and response times, additional communication after initial submission and if finders have permission to publicly disclose vulnerabilities.
Responsible Disclosure/Vulnerability Disclosure Policies are very important documents that are important to both public/private bug bounty programs.
How do bug bounties and ethical hacking impact stakeholders?
Identifying the stakeholders is definitely important in answering this question. Personally, I believe that both businesses and organisations are stakeholders in this situation. Success or failure of ethical hacking/bug bounty programs will affect both business and organisations so it’s in their best interests that bug bounty programs are well outlined and successful. The potential reputation and financial costs that could arise if hackers were not ethical and sought other avenues to capitalise on vulnerabilities found could be immense.
Robert Mitchell from GitLab talked about how some organisation’s managers would accept the risk of breaches if they deemed the cost of preventative measures more expensive that the cost from a data breach. From HackerOne’s Hacker-Powered Security Report 2018, a spotlight on page 23 highlights the statistics of the Shopify, bug bounty program. Shopify services over 600,000 business and has resolved 759 vulnerabilities, rewarding over $850,000 to 300 hackers over the past 3 years. Can you imagine the potential damage that could occur if they were not proactive in their attempt to secure their platform? The reputation and financial loss would be huge with companies such as Red Bull and Nestle employing their services. With this in mind, it’s clear to see that bug bounty programs have a financial cost to the organisation, this is possible a negative impact on the organisation, but it is up to them to decide if the risks of a data breach are worth the financial costs of paying out ethical hackers.
There is a definite need for ethical hackers in the security ecosystem, if hackers behave ethically, they can help secure organisation systems and prevent the theft of data and violation of stakeholder privacy. I hackers behave ethically and disclose vulnerabilities responsibly, I believe that they can only benefit stakeholders and have a positive impact.
Overall, I think that well outlined bug bounty programs have a positive impact on stakeholders. The purpose of bug bounties are to be proactive in securing organisations and to reward ethical hackers for reporting possibly damaging vulnerabilities to the organisation to patch before malicious actors find and leverage these bugs. Keep in mind that organisations should only start a bug bounty program if they are prepared to handle the huge influx of vulnerability reports and noise that comes with them and that organisations should have a genuine need to have a bug bounty program, not just for the sake of having one.
Both HackerOne and BugCrowd act as platforms for organisations to host public bug bounty programs. Web applications are the most popular type of application that are tested on bug bounty programs. Since this week, the studio will be learning about web application penetration testing, a way for implementing techniques that I’ve learnt throughout the week would be to browse for a suitable bug bounty program with a well outlined responsible disclosure policy and attempt to find bugs that the web app might have.
HackerOne 2017, Vulnerability Disclosure Policy Basics: 5 Critical Components, HackerOne, Accessed on 12 February 2019 - https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components
HackerOne 2018, The Hacker-Powered Security Report 2018, HackerOne, Accessed on 12 February 2019 - https://www.hackerone.com/sites/default/files/2018-07/The%20Hacker-Powered%20Security%20Report%202018.pdf
Weulen Kranenbarg, M., Holt, T. & Ham, J. 2018, ‘Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure’, Crime Science, vol. 7, no. 1, pp. 1 - 9.