If a security researcher is sending you emails and trying to tell you about the vulnerability they found this is actually a good thing and infinitely preferable to one of the bad guys finding that vulnerability and not telling you. Not only should you not panic, but you should be pleased that a white hat hacker has taken the time to find a vulnerability in your security and look forward to resolving it with them, strengthening your overall cybersecurity posture in the process.
This is much easier said than done and it typically takes an experienced CISO to look at things this way, usually what happens is that the business owner, their legal team, senior executives, IT Director, or all of the above immediately panic about their reputation or think they are being shaken down. This article is aimed at business leaders who find themselves being notified a a security researcher that there is a hole in your security, it is meant to lay out some best practices, sensible next steps and common sense guidance for dealing with the situation in a proactive, legal and ethical way.
Remember that the security researcher contacting you about a vulnerability is already acting in good faith, they are not attacking you, trying to embarrass you publicly or trying to blackmail you. They are privately warning you of the risk.
They are usually trying to warn you about a potentially embarrassing security vulnerability which could damage your reputation and potentially cause a data breach if it was instead found by an unscrupulous black hat hacker. Most security researchers do not even expect payment, although it is nice to have your efforts rewarded.
The reason the security researcher found a vulnerability in your security almost certainly not because they were directly targeting your business and probably because they stumbled across a misconfigured server. More than likely they stumbled across something exposed to the internet which should not be, using a search engine for internet connected devices like Shodan and notice your vulnerability in the results.
Think of Shodan like Google , but instead of indexing the web content via ports 80 (HTTP) or 443 (HTTPS) like Google, what Shodan does is search the Web for devices that respond to a number of other ports like ports 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 443, 3389 (RDP) and 5900 (VNC), allowing searches for webcams, industrial control systems for nuclear power plants, traffic signaling equipment, routers, firewalls, systems CCTV, power grids and your businesses IT infrastructure.
Nine times out of ten, if a security researcher found your vulnerability it is because your own team accidentally left something open to the internet and forgot about it, not because the researcher is maliciously targeting your business for financial gain.
They are doing you a favor by reporting what they found on the internet and this is what makes them a white hat security researcher and not a black hat hacker, acting in good faith to warn you about your vulnerability, try to remember this.
For some reason many organizations stick their head in the sand when a researcher contacts them, ignoring them completely and this is one of the worst things that you can possibly do. Nobody likes being ignored, especially if they are trying to warn you about a potentially serious vulnerability and there is no profit to be found in ignoring somebody who tells you about yours. If anything you will infuriate a stranger who knows how about a potentially serious vulnerability in your security.
The bare minimum you need to do is email the researcher saying thank you and informing them that your security team will look into the vulnerability immediately, this will put the researcher at ease because you have acknowledged them and their efforts, reassuring them that you are working on a fix for the vulnerability.
If you ignore the researcher for too long and also ignore the vulnerability, there is a very real risk that they could go public with the vulnerability, forcing your hand and embarrassing you in front of your audience, customers and partners because you left them no other choice. All the researcher wants is for you to fix your security hole and by publicly disclosing it after you ignored them you will be forced to fix it.
I spoke to security researcher e-sushi about this and he told me "I think most companies knee jerk react when being contacted by a security researcher and have a hard time understanding that it's not about money, it's about security. Making them understand that can be really exhausting, It's like trying to give a random person on the street a free dollar, many won't understand your motivation and rather refuse to take it. Same with infosec, specially because usually companies will only see that dollar when they lost it because they ignored a report."
Whatever you do, don't ignore the researcher and let them responsibly disclose to you and your team in private before knowledge of it becomes public.
Sometimes when a researcher contacts a business that is not cybersecurity conscious they will knee jerk and seek legal advice. Lawyers (being lawyers) will immediately ignore the realities of the situation and advise their clients to try and silence the researcher with the threat of legal action and it almost always blows up in their faces via negative publicity and the vulnerability leaking in some way.
Threatening a researcher who tried to warn you about a security hole in your business with legal action is the worst thing you can do and will immediately earn you the condemnation of the infosec space and a negative listing here.
It makes no sense to legally threaten security researchers who act in good faith and privately disclose a vulnerability when they are not a threat to your business, all you are really doing is informing your customers and partners that you do not understand the legitimate and legal work that researchers are performing and that you do not really understand how cybersecurity works in the real world.
You are also announcing to black hat hackers that you do not follow best practices when it comes to dealing with security vulnerabilities and probably have other holes in your security that you have covered up by threatening legal action. Don't be assholes like Keeper Security, drone maker DJI, or River City Media and earn the ire and scorn of the infosec space and the media resulting in bad PR.
Follow the lead of Dropbox and Tesla and have clear vulnerability disclosure notices promising that you will not prosecute hackers acting in good-faith, this is the best practice approach to take when security researchers contact you to disclose.
The last thing you want is the researcher publicly disclosing your security holes on Twitter, or in a blog post, so make sure you get them to sign an NDA. Understand though that the researcher has zero obligation legally, morally or ethically to sign an NDA with you if you offer nothing in return, so you need to do this in the right way.
Too often are security researchers silenced with an NDA, only to see a serious vulnerability go unresolved because the business in question knows they cannot say anything for fear of legal action. Whatever you do, do not try to get a researcher to sign an NDA in order to cover up the vulnerability, its just as bad as threatening legal action and it will still leave you vulnerable from the real threats. Understand that an NDA does not fix your security vulnerability or protect you from black hat hackers who will use it for criminal commercial gain if it is left unresolved and they find it.
In return for signing the NDA, you could offer the researcher a 'bounty', a cash payment that acknowledges the work they have done, rewards them for their efforts and buys their silence while you work to properly resolve the issue. At the very least offer the researcher some of your product or services for free (a swag bag) instead of a cash payment and send them a really nice letter thanking them.
If you want to reap the benefits of positive PR, be like Google who gave a teenager $10k for finding a serious vulnerability or any of these companies who regularly pay our bounties to researchers in return for ethical vulnerability disclosures because they recognize the value in security researchers finding bugs before cybercriminals do.
If you do decide to reward the researcher understand that it's usually not about the money for the researcher who was just doing what they do every day to improve their skills and experience and saw a hole in your security. You do not have to pay out tens of thousands of dollars, a modest reward and a letter of appreciation go a long way.
If however they totally save your ass and discover embarrassingly bad holes in your security, then feel free to reward them a handsome bounty, they deserve it.
To many business owners the idea of paying out money to a researcher who found a hole in your security can feel like a shakedown and while I can kind of understand this, I also see how misguided and unhelpful that attitude can be in the real world.
Understand that a shakedown from a black hat hacker does not come in the form of a vulnerability disclosure, they prefer to use ransomware, data theft and fraud in order to extract their value from your security vulnerability. Cybercriminals do not contact you to tell you about vulnerabilities before exploiting them. Thinking of a vulnerability disclosure as a shakedown is a reflection of your own insecurity rather than reality.
Think of it this way, imagine that a bounty hunter had brought you a dangerous and wanted criminal who intended to do damage to your business. In these situations it is appropriate to pay out a bounty so that you can reward the bounty hunter for finding the criminal before he hurt you, your customers and your business.
Remember that the value of your vulnerability on the black market is much higher than whatever you plan to reward the researcher and that they could have easily sold your vulnerability to people who would use it for criminal purposes and financial gain.
For a small, low-impact, vulnerability a bounty of between $200-$500 is usually appropriate, just enough to reward the researcher for their efforts. For your larger and more serious vulnerabilities I have seen organizations pay out anywhere between $5,000 all the way up to $45,000 depending on the severity and the bug bounty program.
When working out how much to reward a researcher in a bounty payment you should consider its potential impact on your business and how much it would cost you if you were attacked using the vulnerability. This can be difficult but it can help guide your decisions when it comes to awarding bounties to researchers.
If you are a small business who cannot afford a large bounty payment, just tell the researcher and send them a nice letter with a $20 dollar bill in it, the important thing is to acknowledge their work and remember it is usually not about the money for the researcher, they are usually happy to help out a small business.
But if you are a large business and a researcher saves your skin by bringing you news of a serious hole in your security, then you should cough up some cash based on the potential black market value of your security hole, weighted against the cost of failure for your business if that vulnerability was used by a criminal.
However large or small, pay out a bounty, it's best practice to reward researchers who voluntarily spend their time helping you improve your security.
Ultimately this is what drives most security researchers to report the vulnerability to you in the first place, they just want you to fix a gaping hole in your security and to leave you with a stronger cybersecurity posture than when they found you.
One way or another you have to resolve the vulnerability and plug the hole in your security because if one researcher found it then it's only a matter of time before somebody else does. Understand that the longer this vulnerability is left unresolved, the more risk you expose your business, customers, shareholders and partners to. It is essential that you resolve the vulnerability if you want to retain your security credibility and protect your reputation over the long term.
Understand that the real threat to your reputation and the security of your business is a failure to resolve serious vulnerabilities when they are disclosed and not the security researcher who is trying to warn you about the risk before it gets ugly.
Bring in professional contractors if you have to, but if you have no budget or resources to bring in the expertise you can always ask the researcher to help you resolve the problems themselves, usually they will be pleased to help you fix the holes in your security. Remember that these are guys who want to do good.
I can understand you not wanting to trust a strange hacker who you think hacked your business, but if you cannot afford to fix the vulnerability by bringing in professionals, or hiring your own security people, you need to trust the researcher who warned you about it and throw them a few dollars to help you fix the problem.
Just make sure you do things properly and have the researcher sign a legal penetration testing agreement outlining the scope of the work, this protects you and the security researcher legally and legitimizes the engagement.
However you resolve the vulnerability, make sure that you resolve it.
Think about how difficult it was for the security researcher to contact you and warn you about your vulnerability and make it easy for the next one to contact you.
I see security researchers on social media all the time becoming frustrated with companies and brands because they have no clear way to notify the right people within an organization of the vulnerability and the people they can contact simply do not understand. The last thing you want is unqualified people dealing with security researchers trying to disclose on a public platform making it known that you have gaping holes in your cybersecurity and seem not to care about them.
If only every company would have a "security@…" email address, monitored by someone who is a bit knowledgeable in infosec realms, that would be great.. Most infosec researchers will embrace it and gladly take it from there. - Original E-Sushi
This is best practice at some of the worlds largest and smallest organizations, if you make it easy for researchers to contact you, it shows you care about finding vulnerabilities in your infrastructure and possess cyber awareness.
With the press screaming about data breaches, cyberattacks, cybercriminals and malicious hackers, it is too easy for the technically inexperienced to mistake security researchers acting in good faith as malicious operators or black hat hackers, so spread word of the good guys out there, the white hats fighting the good fight.
Security research, white-hat hacking, and vulnerability disclosures are legal and legitimate activities, we desperately need this work performed so that we can better understand the flaws in the technologies that are so essential to the way we live. The work of white hat security researchers acting in good faith, the security research and evaluation activities that they perform, are an essential part of defending against a constantly shifting cybersecurity threat landscape and help make us stronger.
Vulnerability research, discovery and disclosure are critical elements in our modern and highly digitized society, so much so that the US National Institute of Standards and Technology recognizes that white hat vulnerability disclosure is a hugely important part of effective cybersecurity in its public Cybersecurity Framework.
We absolutely need these white hat hackers out there conducting their research and it is infinitely preferable that they find your vulnerabilities before the bad guys.
White hats are out there right now hunting for vulnerabilities that could negatively affect your security and when they bring them to you, we salute them for it. Their public service strengthens the cybersecurity of the whole (our economy) over the long term.
So spread around some good vibes for the white hat hackers out there, think of a vulnerability disclosure like getting a visit from the tooth fairy, you may be missing a tooth but you clearly profit from having the friendly tooth fairy pay you a visit.
If you hear people out there trash talking hackers and their misdeeds, remind them about the white hats and the good work they improving our security.
If a security researcher contacts you, don't panic, be cool and do the right thing.
If you liked this article, you should definitely follow me on Twitter!