Are you up for the challenge or ready to implement a Responsible Disclosure policy in your organisation? Or are you dealing with an ethical hacker who wishes to submit a responsible disclosure report, but are you unsure how to deal with this? Responsible disclosure is a tool which can help your organization to improve its cybersecurity. It allows hackers and cybersecurity investigators to notify your organization of the vulnerabilities detected in your system, thus allowing you to resolve them before any problems are caused. As a result, you will be able to prevent unnecessary data leaks or system exploitations by malicious hackers. Although responsible disclosure sounds exciting, it is mainly a matter of entering into clear agreements with the people investigating your systems, products or services. This can be done by means of a solid and unambiguous responsible disclosure policy.

Responsible disclosure or bug bounty

Responsible disclosure is very similar to a bug bounty program, except for the fact that payment is not absolutely required in responsible disclosure. Responsible disclosure assumes that the ethical hacker in question has good intentions; the ethical hacker must perform the investigation in a responsible manner and notify your organisation of the findings at once. In addition, an ethical hacker must not go any further than strictly necessary to confirm whether there is a particular type of vulnerability. For instance, the ethical hacker may not download or modify data. You will record the acceptable boundaries of the ethical hacker’s efforts in your responsible disclosure policy, which must also include information on how the hacker can expect themselves and their report to be treated.

From policy to practice

Establishing a sound responsible disclosure policy is a first step in the right direction. But even if you do not have a responsible disclosure policy in place, you may be faced with a well-intentioned hacker who wishes to inform you of the vulnerabilities which have been found in your system. What happens when a hacker sends an email to your organisation, or calls to say a security hole in your systems has been detected? We often come across organisations who are unprepared for this type of message. Even more so, receptionists and other first points of contact tend to be trained to reassure the customer, telling them that everything is all right. Such a response may have an adverse effect on an ethical hacker, who knows something is wrong. If your organisation fails to acknowledge warnings on several occasions, a hacker may well decide to disclose the findings in a different manner, which may have dire consequences for your organisation. Therefore, organisations are advised to have a solid responsible disclosure procedure in place. After all, you never know when an ethical hacker identifies a weakness in the security of your organisation’s information systems.

With the right training and information, your staff will be able to quickly determine whether they are dealing with a legitimate ethical hacker and, when this is the case, initiate the procedure to bring the hacker into contact with the right persons within your organisation. This procedure makes your information system safer and allows you to better protect your customers, while the hacker will be satisfied having been able to help you solve a problem.

Want to know more?

Nathalie Falot

Senior Legal Consultant