411 for Hackers: Disclosure Assistance

UPDATE 4/17/17: HackerOne has a new and improved flow for Disclosure Assistance. As such, some information from this blog is now out of date. For more information on the new Disclosure Assistance flow, please see the updated support article: What is Disclosure Assistance, and how does it work?

By Alex Rice

When a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, earlier this year we introduced the Directory to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.

After adding thousands of pages to the Directory, we were troubled by how few organizations made it easy for external parties to responsibly report vulnerabilities. A whopping 94 percent of Forbes' Global 2000 have no established channel for receiving external vulnerability reports. Of the top 100 publicly traded companies in the Global 2000, only 13 percent have disclosure programs. Taking a closer look, we found that none of the top 10 automotive, healthcare, insurance or pharmaceutical companies in the Global 2000 have an established channel for receiving vulnerability reports. In fact, ING is the only financial services company in the top 100 with a vulnerability disclosure program. Similarly, United Airlines is the only airline in the Global 2000 with a formal policy.

It's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.

In the physical world, "If you see something, say something." is a core tenet of any safe community. The same should be true online, yet far too often good samaritans are pressured to "say nothing." Encouraging strong relationships with organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce risk for the individual and help close this crucial gap.

So, How Does it Work?

If you're attempting to report a security vulnerability, search the Directory to locate that organization's official vulnerability reporting process. If the organization has no defined process, look for "Disclosure Assistance" to request help in contacting the organization. HackerOne will then take steps to identify the organization's official vulnerability reporting process and will notify you once that process has been documented so you can connect directly. HackerOne never receives vulnerability reports on an organization's behalf. UPDATE - HackerOne now receives reports and verifies the legitimacy of the bug first. Read more in the updated Disclosure Assistance Help Center Article

Why offer Disclosure Assistance?

Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services (see ISO 29147). In the absence of a vulnerability disclosure policy, attempts to report security vulnerabilities often carry considerable legal risk for the security researcher, causing many to simply withhold vulnerability information or publish anonymously. In these cases, it is impossible to achieve an optimal outcome that ensures security vulnerabilities are safely resolved.

It is in our collective best interests that this scenario be avoided. If you have been unsuccessful in contacting an organization regarding the responsible disclosure of a potential security vulnerability, HackerOne can offer assistance. We will take steps to identify the organization's official vulnerability disclosure policy.

How does Disclosure Assistance work?

Search for the organization you are attempting to contact in the Directory. If a security contact method has not been published there, select "Disclosure Assistance" and HackerOne will take steps to identify an official process. If we are successful, you will be notified of the process and may submit the vulnerability report to the organization directly. HackerOne does not receive or submit vulnerability information on your behalf. UPDATE - HackerOne now receives reports and verifies the legitimacy of the bug first. 

Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ and encourage you to perform other contact attempts in parallel to our effort.

Are there any risks with Disclosure Assistance?

It is impossible to completely eliminate the inherent risks associated with vulnerability disclosure and we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ. However, HackerOne Disclosure Assistance may reduce your individual risk in several areas:

• HackerOne will not accept any vulnerability information during the process, so no additional parties become privy to the disclosure details. UPDATE - HackerOne now receives reports and verifies the legitimacy of the bug first. 
• HackerOne does not require your identity to complete the process, so you may utilize a pseudonym to remain anonymous.
• Once the organization's vulnerability disclosure policy is published, you have an opportunity to review it before choosing to make contact.

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.