Skip to main content

Where's that Security@?

  • June 4th , 2015

All technology contains bugs. These bugs frequently have security implications that may be exploited by criminals, but are more often discovered by friendly parties — security researchers, academics, hackers, vendors, professionals, even law enforcement — who want nothing more than to see the flaw resolved safely. Due to this inescapable reality, it is critical that all organizations who build technology also have a safe process for vulnerability disclosure.

Unfortunately, many disclosure attempts from researchers continue to fall on deaf ears, and all Internet users are at increased risk as a result. This issue was recently highlighted in a letter to the Internet Policy Task Force:

Researchers who discover a serious security flaw in a piece of software or website should not have to spend hours or days searching for the contact information for the information security team at the company or organization responsible for the vulnerable code.

[...]

Providing security researchers with an easy way to report vulnerabilities is not just an industry best practice (ISO 29147, it is now a key component of what the Federal Trade Commission considers "reasonable and appropriate security."

We agree.

That's why we're launching the HackerOne Directory: a community-curated resource for identifying the best way to contact an organization's security team. Increasingly important, the Directory will also document the existence of the organization's responsible disclosure policy and any associated bug bounty programs.

HackerOne DirectoryImage: The HackerOne Directory

Researchers

  • Share your disclosure experiences and add security team contact information to the Directory so others can benefit from your work.
  • When you need to contact a security team, search the Directory for their contact information.
  • If an organization hasn't published security contact information anywhere, we recommend considering assistance from your local CERT.

Organizations

  • Publish contact information for receiving information about potential vulnerabilities in your products or online services, such as a security@ email address or a HackerOne program. See ISO 29147 for additional guidance or contact us.
  • Search the Directory for your organization to ensure that your security team's contact information and disclosure policy is accurate.

Empowering security researchers to perform their important work more efficiently is central to our mission, and we hope this Directory will prove to be a useful resource. Questions, complaints, or suggestions? All feedback is important to us and we'd welcome hearing from you.

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…