Vulnerability Reporting & Disclosure Tips – By @Santhoshst
Security Testing Tips: Vulnerability Reporting & Disclosure Tips
In simple terms, vulnerability can be referred to as security bug. For more information, look into the glossary of OWASP. And disclosure means letting the world know about the security bug that was found by you. I am going to share some quick tips to understand how to report a vulnerability and disclose it responsibly which is one of the responsibilities of ethical hacker.
Whenever you find security vulnerability in a web application, make sure you do not reveal it to anyone no matter he is your close friend or your boss. Here are some guidelines or tips that you may utilize in order to report the findings and disclosing it to the web.
1. Proof of concept: Make sure you make a video of the vulnerability and save it in your computer so that you can disclose it to the web. As you have found it, you own the credits and bragging rights.
2. Report it to concerned person: Reporting to the right person who can handle this is really important. There may be rogue insiders and may misuse this report if sent to the wrong person in the company.
3. Disclosure: Do responsible disclosure and this means that you will let the world know about the vulnerability only after its fixation by the developers in the company.
4. Do not sell the data: It may be tempting for you to sell the data to the competitor of the victimized business however; it is not ethical for you to sell the data while you report the vulnerability to the concerned person and get it fixed. Also, it is unethical for you to save the data in your computer and use it for your personal purpose or commercial.
5. Bragging rights: It is a personal choice of an individual to publicize on the web about finding the vulnerability. Some people disclose it as bragging rights while some people just don’t.
There are organizations like CERT, NULL and others through which you can submit the vulnerability and the members of organization will take care of it while communicating to the concerned person. You can also track the status. However, there might be a delayed response and I personally have faced a delay in terms of a year or two. Also, product owners are not much serious about security vulnerabilities [Especially in India in my experience], and you need to keep doing follow-up.
Last but not least, be very much careful before you make your hands dirty, be aware of the cyber laws in your country and take necessary precautions to not land in jail or get heavy fine for violating the laws.
Latest posts by Santhosh Tuppad (see all)
- Writing exploits – Learn programming to build a strong report – by @Santhoshst - December 25, 2014
- Is Your Third-Party Integration Secure? – by @Santhoshst - November 15, 2014
- FAQs by Developers for Security Vulnerabilities Reported – by @Santhoshst - October 20, 2014