Make it easy for people to report a vulnerability

What it is

A vulnerability is a weakness in software, hardware, or an online service. Vulnerabilities can be exploited to access systems, accounts or information, or used in attacks like ransomware attacks.

How it works

When someone finds a vulnerability, they’ll often try to let the owner of the software, hardware, or service know about it. This is known as vulnerability disclosure.

People who find and report vulnerabilities are not usually malicious. They want to let you know a risk exists so you can mitigate the risk for your organisation. For example, the finder could be:

• a professional security tester, testing the software for a client, or
• a curious university student testing their security knowledge.

How to protect your business

While getting a report is often unexpected, it’s generally not something to panic about. To make sure you’re prepared to receive reports:

• make sure people know how to report vulnerabilities to you
• have a process in place to investigate them.

Make it easy for people to report vulnerabilities

The hardest part of making a report is often figuring out who to send it to – it can be difficult to find the right contact details.

Vulnerability reports should go directly to your IT or security team. If the only contact details available on your website are for media or general enquiries, there’s a risk the report could get lost, or sent to the wrong part of the organisation.

Make sure you:

• have a security.txt file on your site. Security.txt is a standard that gives people an easy way to contact your organisation about security issues. It’s a file that sits on the web server, and gives details of your email address, vulnerability reporting policy and PGP fingerprint if you have one. You can find the security.txt file for any website through the well-known path. For example, CERT NZ’s security.txt file is at https://www.cert.govt.nz/.well-known/security.txt
• list full contact details on your site. Include contact details for your IT support or security team on your main contact us page, or add them to your privacy or security policy page
• make sure you keep your WHOIS profile up to date. WHOIS is a searchable domain details database. It’s often the first place people will look to find an organisation’s contact details.

WHOIS details for .nz domains – Domain Name Commission

Securitytxt.org

Provide a secure way to send reports

The finder will need a secure way to send you details of the vulnerability they’ve found. They should be able to:

• use PGP encryption to send their report, if possible – ask your IT service provider about setting this up. The finder should be able to find your PGP fingerprint on your website, in your security.txt file or on your security policy page. You’ll also need to have your public key available elsewhere – on a public key server like pgp.mit.edu, for example. This lets the finder verify your PGP fingerprint to make sure they have the right public key.
• send their report to you by email in an encrypted zip file using a strong algorithm. They can share the password for it by phone or SMS. If your organisation does not allow encrypted ZIP files, you should consider using PGP. You can also consider using an HTTPS website, like PrivateBin, that accepts text reports sent straight to your security team.

PrivateBin

Respond to the report

When you receive a report, make sure you acknowledge the finder if you can. Let them know what steps you expect to take to investigate the vulnerability they’ve found. Don’t ignore either the vulnerability or the report.

Be aware that the finder might:

• want to remain anonymous so you won’t be able to contact them. This is standard practice and nothing to worry about. If you are able to contact them – by email, for example – they may not respond
• report a vulnerability but not get involved further. Their main concern is to make you aware of it, and then let you deal with it
• may be someone who might not ordinarily feel like their report would be listened to. This could be someone within the organisation who’s concerned about possible repercussions, for example.

Investigate the report if necessary

If the vulnerability looks credible, get someone to investigate it. This could be either your own IT team, or a neutral IT specialist. How you approach the investigation depends on your organisation’s internal processes. For example, you might need to:

• assess the vulnerability (or get someone to do it for you)
• see how critical it is
• do a risk assessment
• kick off a change response process (or incident, if it’s critical or risky).

If you've had an online security incident

Put a vulnerability policy in place

Your organisation should have a vulnerability disclosure policy available on your website. It should let people know:

• how they can make a report to you
• how you’ll treat any reported vulnerabilities
• if you’ll provide any kind of reward or thanks for reporting.

Some people – or companies – may ask you for money before they'll give you the details of a vulnerability. Make sure your policy is clear about what you’ll do if you’re asked to pay for a report. If you’re asked for payment and aren’t comfortable with the request, contact another company to investigate the vulnerability on your behalf.

Consider a 'bug bounty'

Some organisations have a programme where they offer rewards or recognition for people who find and report vulnerabilities. This kind of programme is known as a 'bug bounty'. This can lead to a high number of vulnerability reports.

If you want to offer a bug bounty, it's important to start off with a vulnerability disclosure policy first, so people know how to report any issues they find to you.

You can consider implementing a bug bounty programme once your organisation has developed strong internal:

• vulnerability response processes, and
• security testing processes.