Responsible Disclosure of Security Exploits: A Guide for Ethical Hackers
As an ethical hacker or security researcher, you may come across significant security vulnerabilities that could compromise the integrity and security of a company's systems. But what is the best course of action when you find such an exploit, especially if it is critical and located within a company's headquarters in California, USA?
Initial Steps: Internal Communication and Reporting
A crucial first step is to reach out to the appropriate security contacts within the company. Consider sending an email to security@ and secure@ addresses, as these are the usual inboxes for security-related communications. If these attempts fail to elicit a response, consider reporting the vulnerability to the CERT-CC using their designated form at Vulnerability Information. This will ensure that your findings are documented and communicated to the right parties.
It's important to remember that the discovery of a security vulnerability does not always equate to a true exploit. During my tenure at Microsoft, the vast majority of reports received by secure@ turned out not to be actual vulnerabilities. Be prepared for this possibility and ensure your findings are thoroughly investigated.
Public Disclosure: The Risky but Effective Route
If internal communication fails and you suspect the public is in danger due to the exploit, you may consider publicly disclosing the exploit by sharing your findings on hacking forums. This approach carries risks, as it could prompt a coordinated response from the company or lead to unintended consequences. However, if done carefully, it can also draw attention to the issue and force the company to act.
To proceed with public disclosure, send an anonymous tip to local news outlets in the area. If the issue is brought to the public's attention, the company is more likely to address it. However, this method comes with significant risks, including potential legal action and the possibility of your identity being exposed.
Responsible Disclosure Protocol: A Safeguard for Both Parties
For the most comprehensive and responsible approach, follow the responsible disclosure protocol. This involves presenting your findings to the company in writing, clearly communicating your intentions, and ensuring that all necessary parties are informed.
1. Direct Contact: Email or write a formal letter to the company's security team, addressing it to the appropriate individual (e.g., the security director or chief information security officer). Include all the details of the exploit and be transparent about your credentials and the source of your information.
2. Legal Recommendations: Send a copy of your communication to the company's general counsel and compliance manager, emphasizing that you are not seeking any compensation or additional assistance beyond the information you provided. Clearly state that this communication is your last and only involvement with the company regarding this issue.
3. CERT Involvement: Inform your local CERT (Computer Emergency Readiness Team) that you have disclosed the vulnerability to the company and that you are awaiting a response. CERTs are interconnected, so rest assured that if one agency learns of the exploit, all related CERTs will be aware.
4. Documentation and Follow-up: Keep a record of all your communications and actions. If the company does not respond or takes insufficient action, document these inaction and move forward accordingly.
By following these steps, you can ensure that your findings are responsibly communicated, minimizing the risk to both yourself and the company.
Note: All CERTs communicate with each other. If you are uncertain about any aspect of the responsible disclosure process, feel free to contact me directly. I can assist you in raising the ticket with your local CERT, as they will be my colleagues.