Translated, Responsible Disclosure means “responsible disclosure”. This is about the announcement of newly discovered security vulnerabilities. It should be done responsibly. This means that cybercriminals can exploit the discovered vulnerabilities as little as possible.
There are independent ethical hackers who check websites, programs, apps and the like for security vulnerabilities. Not to exploit them criminally. But to help close these gaps.
Usually, the ethical hackers report the vulnerability to the company whose program, website or app is affected. They give him a reasonable amount of time to close the gap. Only then do they inform the public about it. The aim of this approach is to prevent cybercriminals from exploiting the security gaps.
If a company delays or refuses to close the vulnerability, this can pose a dilemma for ethical hackers. This is because cybercriminals specifically look for security vulnerabilities in order to exploit them for their own purposes. Therefore, it is likely that a vulnerability discovered by ethical hackers is already known to at least some cybercriminals.
With this in mind, ethical hackers may decide to make the vulnerability public even though it has not yet been closed. This usually creates strong pressure on the company to close it quickly.
Responsible disclosure mainly affects companies. If ethical hackers discover a security vulnerability in your website, for example, try to bring it to the attention of the appropriate person or department of your company.
Security breaches can cause serious damage to your company. Therefore, make it easier for ethical hackers to report according to the principle of responsible disclosure. Many companies set up a subpage on their website for this purpose, often under the keyword “Responsible Disclosure”.
For more information, please refer to the BSI document “Vulnerability Handling: Recommendations for Manufacturers“.
