Security Testing Tips: Vulnerability Reporting & Disclosure Tips

security-testing-1
Security Testing Tips

In simple terms, vulnerability can be referred to as security bug. For more information, look into the glossary of OWASP. And disclosure means letting the world know about the security bug that was found by you. I am going to share some quick tips to understand how to report a vulnerability and disclose it responsibly which is one of the responsibilities of ethical hacker.

Whenever you find security vulnerability in a web application, make sure you do not reveal it to anyone no matter he is your close friend or your boss. Here are some guidelines or tips that you may utilize in order to report the findings and disclosing it to the web.

1. Proof of concept: Make sure you make a video of the vulnerability and save it in your computer so that you can disclose it to the web. As you have found it, you own the credits and bragging rights.
2. Report it to concerned person: Reporting to the right person who can handle this is really important. There may be rogue insiders and may misuse this report if sent to the wrong person in the company.
3. Disclosure: Do responsible disclosure and this means that you will let the world know about the vulnerability only after its fixation by the developers in the company.
4. Do not sell the data: It may be tempting for you to sell the data to the competitor of the victimized business however; it is not ethical for you to sell the data while you report the vulnerability to the concerned person and get it fixed. Also, it is unethical for you to save the data in your computer and use it for your personal purpose or commercial.
5. Bragging rights: It is a personal choice of an individual to publicize on the web about finding the vulnerability. Some people disclose it as bragging rights while some people just don’t.

There are organizations like CERT, NULL and others through which you can submit the vulnerability and the members of organization will take care of it while communicating to the concerned person. You can also track the status. However, there might be a delayed response and I personally have faced a delay in terms of a year or two. Also, product owners are not much serious about security vulnerabilities [Especially in India in my experience], and you need to keep doing follow-up.
Last but not least, be very much careful before you make your hands dirty, be aware of the cyber laws in your country and take necessary precautions to not land in jail or get heavy fine for violating the laws.

https://i2.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-1.jpg?fit=960%2C720&ssl=1https://i2.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-1.jpg?resize=150%2C150&ssl=1Santhosh TuppadSecurity Testing TipsSecurity Testing TipsSecurity Testing Tips: Vulnerability Reporting & Disclosure Tips In simple terms, vulnerability can be referred to as security bug. For more information, look into the glossary of OWASP. And disclosure means letting the world know about the security bug that was found by you. I am going to share some quick...
The following two tabs change content below.
Santhosh Tuppad is the Cofounder & Software Tester of Moolya Software Testing Private Limited (www.moolya.com). He also won the uTest Top Tester of the Year 2010 apart from winning several testing competitions from uTest and Zappers. Santhosh specializes in exploratory testing approach and his core interests are security, usability and accessibility amidst other quality criteria. Santhosh loves writing and he has a blog http://tuppad.com/blog. He has also authored several articles and crash courses in the past. He attends conferences and confers with testers he meets. Santhosh is known for his skills in testing and you should get in touch with him if you are passionate about testing.