What it is
A vulnerability is a weakness in software, hardware, or an online service. Vulnerabilities can be exploited to access systems, accounts or information, or used in attacks like ransomware attacks.
How it works
When someone finds a vulnerability, they’ll often try to let the owner of the software, hardware, or service know about it. This is known as vulnerability disclosure.
People who find and report vulnerabilities are not usually malicious. They want to let you know a risk exists so you can mitigate the risk for your organisation. For example, the finder could be:
- a professional security tester, testing the software for a client, or
- a curious university student testing their security knowledge.
How to protect your business
While getting a report is often unexpected, it’s generally not something to panic about. To make sure you’re prepared to receive reports:
- make sure people know how to report vulnerabilities to you
- have a process in place to investigate them.
Make it easy for people to report vulnerabilities
The hardest part of making a report is often figuring out who to send it to – it can be difficult to find the right contact details.
Vulnerability reports should go directly to your IT or security team. If the only contact details available on your website are for media or general enquiries, there’s a risk the report could get lost, or sent to the wrong part of the organisation.
Make sure you:
- have a security.txt file on your site. Security.txt is a standard that gives people an easy way to contact your organisation about security issues. It’s a file that sits on the web server, and gives details of your email address, vulnerability reporting policy and PGP fingerprint if you have one. You can find the security.txt file for any website through the well-known path. For example, CERT NZ’s security.txt file is at https://www.cert.govt.nz/.well-known/security.txt
- list full contact details on your site. Include contact details for your IT support or security team on your main contact us page, or add them to your privacy or security policy page
- make sure you keep your WHOIS profile up to date. WHOIS is a searchable domain details database. It’s often the first place people will look to find an organisation’s contact details.