Sunday evening, just before dinner, someone called Roy comes online: He wants to tell the web developers at surf.nl that there is a security leak on the website, who should he speak to and how? Roy stresses that he is not acting with any malice, and he wants to help us fix the problem as quickly as possible.
When developing software and applications, you do what you can to prevent errors creeping into the system. Errors, bugs or vulnerabilities cause disruption to normal use, and they can create concern about damage among users and others affected. You do this by using standards, with safe programming techniques, reviews and checks during construction and afterwards. Depending on how critical the applications and the type of data are, you may do it more or less thoroughly, and more or less intensively. That means that now and again something slips through. Modern applications use standard functions and function libraries. These too are not totally error-free, and nasty errors are regularly discovered from time to time. Another source of errors is system and application configuration, also incorrect use thanks to ignorance or haste. In practice, many of the systems that we use on a daily basis include errors, some of them serious, often relatively harmless.
Responsible disclosure policy
Therefore it is great if other people also keep their eyes open, and tell us about any problems that they find. As long as they do not abuse the ‘loopholes’ in the systems then it is not a problem, and this sort of ‘joining in’ is valuable. It can be formalised by adopting a ‘responsible disclosure’ policy. SURF made a sample policy (in Dutch) available a while back about this, based on an approach that works across the country. And SURF has also adopted this itself.
There is also international interest in the responsible disclosure approach, although it is not totally new to the Internet community. For some time, responsible disclosure codes have existed for reporting problems to vendors, where the vendor is allowed to fix the problem before the person who discovered it tells the rest of the world. The largest software companies value this, and also offer bounty programmes where sometimes a lot of money may be involved. Responsible disclosure is now focussed much more on the user side, on companies and organisations, and their sometimes poorly protected systems.
The models that SURF has developed have been adopted by the Netherlands CIO Platform for its members. The Platform has also brought them to the attention of their European colleagues. And in May 2016, the CIO Platform will join forces with the Ministry of Security and Justice at the High Level Cybersecurity Meeting (held under the auspices of the Dutch Presidency of the EU) to draw it to the attention of the other countries in the EU at government level.
Responsible disclosure will never replace taking responsibility for working carefully and carrying out regular checks. But it certainly helps. Of course, with today’s scarcity of knowledge and expertise, it is great to have ‘Helpful Hackers’. Chris van ‘t Hof in his book ‘Helpful Hackers’ explained a large number of practical cases and described how Dutch policy deals with the subject.
And back to Roy – what happened next?
Thanks to Roy’s warning, we were able to fix the nasty leak in the web form within 24 hours. Thanks again, Roy, for your noble efforts.
More information about responsible disclosure
Chris van ’t Hof – Helpende Hackers, ISBN 978-90-823462-0-6 (recently published in English as ‘Helpful Hackers’ ISBN 9789082346237)