C'mon, biz: Give white hats a chance to tell you how screwed you are

There have never been more white-hat researchers hunting for vulnerabilities on internet-facing systems and yet barely any organisations provide a way for them to report the issues they find.

In theory, the easiest way is to publish a Vulnerability Disclosure Policy (VDP), yet recent research here and here (PDFs) from bug bounty outfit HackerOne showed that only 7 per cent of Forbes 2000 companies advertise a process that could be as simple as providing an email address and PGP key.

Some sectors were better than others, with financial services a surprising laggard. In the money sector, 93 per cent of businesses have no VDP compared to 76 per cent for telecoms and 53 per cent for tech, and yet the overall situation is still extraordinary given that such policies are a zero-cost security upgrade.

Whether confidence or complacency, it's not as if corporations haven't been told that VDPs should be a priority, with the US Department of Justice (DoJ) recommending them as standard issue for all industries as far back as 2017.

Beyond the vuln disclosure policy lies the bug bounty – and here even wealthy sectors such as financial services seem reluctant to invest, with the average reward from HackerOne's programmes averaging only $1,118 per flaw, well below the tech sector.

The reticence of financial services companies was cultural, according to HackerOne security engineer Laurie Mercer. "The idea of someone outside this organisation submitting a vulnerability report to them is quite alien."

This was despite these companies having mature security practices internally. "The exception is the new generation of fintech companies that often will have a VDP or bug bounty programme," he said.

"One of the challenges companies face is that their software development lifecycle is still a waterfall approach with long latencies. If all of a sudden you switch to this method of receiving vulnerability reports almost at random, what do you do with them? A lot of companies just aren't ready to embrace this change."

The effect of lower bug bounties in the finance sector was that researchers would focus their attention elsewhere. A growing area of vulnerability is unintentional information disclosure, which HackerOne's figures show now account for 18 per cent of financial services sector vulnerability reports.

"It's a lot easier to make a mistake leading to a security configuration such as allowing read access to anyone," said Mercer. Because this type of vulnerability involves access to sensitive data, it can be among the most difficult to report to companies lacking a clear process. "If they don't see a policy, they worry they might get in trouble."

While VDPs can be simple reporting mechanisms, big companies are increasingly fashioning more comprehensive ones in an attempt to give researchers legal reassurance. One example is Dropbox, which earlier this year started advertising its VDP as a template it said any company could adopt.

Pen-testing struggle

And yet according to Dutch pen-testing company Blueprint Cyber Security, having a VDP is no guarantee of plain sailing.

"It's a real hit-or-miss when disclosing vulnerabilities directly to the organisation. They have a responsible disclosure policy and we follow the rules of engagement and disclosure, but they could still react with legal threats or escalate the situation instead of fixing the issue," said managing director Michael Gesner. "Researchers in our network have approached us in the past to be a go-between to reduce their risk of being penalised for their discovery."

Unfortunately, a lot of companies publish a policy on their website but fail to manage it, while others remain nervous about the motivations behind vulnerability researchers they know little about. But even well-run programmes require resources to technically validate submissions and to communicate, as well as issue bounties where appropriate.

Gesner believes that the uncertainty on both sides will only end when managed vulnerability disclosure programmes – including HackerOne's – become commonplace, possibly backed by new legislation to protect researchers.

"These platforms are vital for researchers as [they] completely reduce the risk of legal actions, as long as they have followed the guidelines provided by the associated organisation." ®