What is "Responsible Disclosure" to report security flaws

What is Responsible Disclosure to report security flaws

There is a practice, widespread among companies, called "Responsible Disclosure", which defines the methodology to follow when a security flaw is discovered in a software. Let's see in detail what it consists of.

What is "Responsible Disclosure"?

It often happens that researchers, ethical hackers or anyone who uses a software or hardware product may come across a bug. In recent years, we have witnessed the discovery of various vulnerabilities in processors, while we have always read news relating to the identification of security holes in programs. Sometimes we refer to the discovery of bugs in a generic way, but these "defects", of design or programming, can be harmless, such as errors that occur when a certain action is performed, or much more serious problems in the case of a real and its own security flaw, which could be used by a potential attacker to steal data or access sensitive parts of a software or hardware component. It is clear that on the web there is, at any moment, someone who can't wait to exploit these flaws to their advantage, using them to steal data or carry out other operations that can cause damage.

Since not all those who discover these flaws are, basically, hackers intent on doing damage, but many times they are researchers, universities or expert programmers who, in fact, are not dangerous, a practice has been established whose purpose is to allow companies who develop that particular software or component to be able to intervene and solve the problem before it is too late, that is to say before some malicious hacker learns of it and exploits it to his advantage.| ); }
This "responsible disclosure" lays its foundation on the feeling of responsibility social, that is, he makes sure to avoid that his own discovery can be used by someone to cause damage and therefore endanger other individuals. Obviously this social ethic is stronger in some people than in others, but on average that's what ethical researchers or hackers should do. The fact of divulging the vulnerability discovered after it has been resolved makes sense, from the researcher's point of view, as a matter of personal gratitude and, why not, of skill, which could be convenient for the person himself, therefore it is completely normal.

There are no specific procedures or times to follow in carrying out this “Responsible Disclosure”: each company should actually have its own practice. Just do a Google search with "Responsible Disclosure", followed by the name of the company, to access pages where the practice is explained, that is, all the information relating to who to communicate the vulnerability, how and so on. Usually the time in which this discovery must remain secret, to allow the company to solve the problem, varies from one month to a year, with an average of between 90 and 120 days.

Several companies have at the also active economic recognition programs for those who detect and communicate bugs and vulnerabilities. Basically, if you discover a vulnerability, based on severity and other factors, you could receive a cash reward in return. However, this should not be the engine behind "responsible disclosure", which, as mentioned above, should be driven by a civic sense.


What is "Full Disclosure"?

The opposite of Responsible Disclosure is Full Disclosure, where the vulnerability is disclosed as soon as it is discovered, without notifying the company, and risking to let it be used to create damage. Usually, it is preferable to use Responsible Disclosure, although there may be situations in which it is not applicable, such as when it is impossible to contact the company, and consequently there is no real procedure, you do not receive a response from the company or the company announces that it does not intend to apply a correction. In this case it is acceptable to use less caution, as a sort of strong message to be given to the company to push it to solve the problem.







Powered by Blogger.