If you are a security researcher, a hacker, or “just” a developer, is very likely that this scenario sounds familiar to you. You are browsing the web, using a mobile app, or maybe inspecting your own HTTP logs and you spot something that grabs your attention.
Driven by curiosity, you start investigating the behavior of the target system and here we go! You just found a security issue!
It may sound like an oversimplified story, but the truth is that it really happens like that. Especially if you do cybersecurity on a daily basis, you develop a “trained eye” for bugs and a small hint can be enough to discover a very dangerous vulnerability!
And this is the moment when you start asking yourself:
- how do I report this safely?
- will the owner of the vulnerable system understand I am doing this in his best interest?
- will they understand the risks and implications?
- will I get in trouble?
And here is the ironic thing, you know that the right thing to do is to report what you found and make the company aware of the security issue, but this may also turn into an unpleasant experience because companies are not always open to this kind of reports, and legislation is not always clear on the boundaries of ethical hacking.
At the same time, ignoring a security finding would be also problematic. You could go ahead with your life, but you feel a sense of responsibility towards all the people who are impacted directly and indirectly. Many security vulnerabilities can often lead to citizens’ sensitive data being exposed, which a malicious actor could steal and use for bad purposes. As a skilled ethical hacker, if you can do something to prevent a cybercrime you should take action.
So, what are your options? Well, it depends on many factors – especially related to the system where the vulnerability lives and who owns it.
Ways to report vulnerabilities as an ethical hacker
TL;DR – you can always use the OpenCIRT framework to report vulnerabilities while preserving your peace of mind and possibly being rewarded. Regardless of the type of system, the responsible company, the location… as long as the vulnerability is impactful and ethically sourced, we will process it and do our best to get it fixed.
With that said, there are of course many other options based on the scenario.
Open Source Software
If you found a security bug in OSS, I can strongly recommend reporting it via huntr.dev. Huntr is a great project which allows security researchers to get rewarded for finding vulnerabilities in any public GitHub repository. You can also check “how much” a repository is worth using their estimation tool, and reporting a bug is pretty straightforward.
I recently reported a Broken Access Control bug and I can say I was very satisfied with the whole process. I can even say Huntr has been an inspiration for me to create OpenCIRT – with the difference that we don’t limit to OSS – anything is in scope.
Companies with a VDP or Bug Bounty program
If a company has a VDP (vulnerability disclosure program) or Bug Bounty program, your life will be a bit easier. You just have to double-check that your finding is included in the list of valid vulnerabilities and the target system is in scope. The reporting procedure should be included in the program policy itself, but be sure to read it carefully in order to avoid surprises from the triage team.
There is a bit of confusion between VDP and Bug Bounty – but the main difference is that in bug bounty, monetary rewards are assigned for the findings.
Most of the companies host their programs on well-known platforms like HackerOne, BugCrowd, Intigriti, and many more.
The “problem” is that nowadays, there is a very small percentage of companies with such policies, compared to the immense number of vulnerable systems exposed on the Internet. And final users are the ones who are paying the price for this slow adoption.
Companies without a VDP
The majority of companies as no official way to disclose vulnerabilities, and this is exactly the problem we are trying to solve at OpenCIRT. In this scenario, you could be brave, contact the company directly and report the security issue yourself.
Sometimes it works, but many times you are gonna have to “fight” against:
- unresponsive companies
- companies not understanding the danger
- quiet patching with no recognition
Of course, we at OpenCIRT will face the same issues, but we have procedures in place to mitigate all of these risks and most importantly protect the hackers who operate ethically.
If direct contact does not sound appealing, another option would be to contact the national CIRT (cyber incident response team). The experience may vary depending on the country as every country has its own CIRT, but you may expect your vulnerability to be considered only if it involves a major public risk.
For example, a server with open SSH access can be “not enough bad” for a CIRT, but for a company it surely is because it can be used by cybercriminals to host SPAM, malware, and so on.
For me, none of the mentioned options was good enough, and here is how OpenCIRT comes to life. We are working to create a legal/tech framework to allow any security researcher to report to any company, without boundaries except common sense and ethical behavior which we summarized in our Acceptable Hacking Policy.
Once we make sure that a bug is valid, we also take care that is explained in an effective way and is reported to the most appropriate company department in a private and professional way. And finally, we plan to open-source all of our procedures to allow hackers to propose improvements and be an active part of the system.
I believe the only way to aim for a more secure Internet is to have a “hacker-powered” security framework, and the freedom for researchers to report security bugs without any fear.
It doesn’t matter which option you’ll choose to report your bugs, what’s important is that you take action if you are acting for good, as I am sure you are.
This is the start. Keep dreaming, keep hacking.