Everyday Clues | Cybersecurity | Data protection
Responsible disclosure – this is the principle that ethical hackers follow when they discover a security vulnerability in a company. We explain what Responsible Disclosure is in this blog post. We also explain why companies should collect and use this information in a targeted manner – and give initial tips on how.
Translated, Responsible Disclosure means “responsible disclosure”. This is about the announcement of newly discovered security vulnerabilities. Fortunately, there are independent ethical hackers who check websites, programs, apps and the like for security vulnerabilities. Not to exploit them criminally. But to help close these gaps.
Usually, the ethical hackers report the vulnerability to the company whose program, website or app is affected. They give the company a reasonable amount of time to close the gap. Only then do they inform the public about it. The aim of this approach is to prevent cybercriminals from exploiting the security gaps.
Good to know: Alternatively, Responsible Disclosure is also known as Coordinated Disclosure – because the companies and the ethical hackers coordinate their actions.
First of all: Ethical hackers are not a uniform group. What they have in common, however, is that they have enormous computer expertise and practice a certain hacker ethic. Perhaps her own individual one. Or, for example, the hacker ethics of the Chaos Computer Club. One of its principles is: “Use public data, protect private data”. Many security vulnerabilities endanger the protection of private data. Therefore, ethical hackers often feel responsible for ensuring that such security gaps are closed.
However, there are also companies that remain inactive permanently. In such cases, ethical hackers can opt for full disclosure, i.e. a full disclosure. Then they make the vulnerability public – even though it has not yet been closed. This decision is a double-edged sword. On the one hand, cybercriminals also learn about the security gap that has not yet been closed. On the other hand, the announcement usually means massive pressure on the company in question to close this gap as quickly as possible.
Important: Cybercriminals specifically look for security vulnerabilities in order to exploit them for their own purposes. Therefore, ethical hackers often have to weigh the probability that a vulnerability they find is already known to at least some cybercriminals.
More and more companies are trying to make it easier for ethical hackers to disclose responsibly. For example, by setting up a special e-mail address for such notices or by providing a form.
In some cases, they also provide ethical hackers with information about what types of security vulnerabilities are relevant to them and how they deal with the report. The background to these efforts is the realization that companies here benefit from the unsolicited expertise of ethical hackers.
When finding security vulnerabilities, ethical hackers can technically make themselves liable to prosecution. For example, if they discover that personal data is publicly viewable due to a security vulnerability – and in the event of this discovery, they inevitably view some of this data.
Usually, companies do not report the ethical hackers in such cases. However, a major German party did so after several security vulnerabilities in one of its apps were reported to it. As a result, Europe’s largest hacker association – the Chaos Computer Club – announced that it would no longer report security vulnerabilities to this party in the future.
Security breaches can cause serious damage to your company. Therefore, make it easier for ethical hackers to report according to the principle of responsible disclosure.
What a responsible approach to newly discovered security vulnerabilities looks like is not always entirely clear. Many companies are happy about the exact clues they receive from ethical hackers and strive to close the security gaps they discover.
Some examples of how other organizations deal with Responsible Disclosure:
Further helpful information can be found in the BSI document “Handling of vulnerabilities. Recommendations for manufacturers”.
Usually, ethical hackers report security vulnerabilities without asking for money. This makes it all the more important to be aware of the value of this information. Hiring ethical hackers for targeted security testing isn’t cheap. Therefore, many large companies offer rewards for reported security vulnerabilities.
So should you also pay a finder’s reward for reported security vulnerabilities? Ultimately, you decide. Finding and responsibly, constructively reporting security vulnerabilities can cost ethical hackers a lot of time and effort – and save you a lot of trouble. We therefore recommend expressing your gratitude and appreciation depending on the possibilities of your company. Perhaps in the form of a bonus or through particularly popular giveaways or free products. Preferably in the way you would like to see a corresponding service rewarded yourself.
If you have any further questions about Responsible Disclosure or would like assistance in enabling or processing such reports, please contact us.
