Bugcrowd's Casey Ellis talks about disclosure, bounty programs, and vulnerability marketing with CSO, in the first of a series of topical discussions with industry leaders and experts.
Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focus on disclosure and how pending regulation could impact it. In addition, we asked about marketed vulnerabilities such as Heartbleed and bounty programs, do they make sense?
CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A, or feel free to suggest topics for future consideration.
Where do you stand: Full Disclosure, Responsible Disclosure, or somewhere in the middle?
Casey Ellis, CEO, Bugcrowd (CE): I'm a big believer in responsible disclosure, as long as it's clear to all involved that the "responsible" bit applies to the companies running the programs as well as the researchers. Being a responsible program owner is largely about setting clear expectations and sticking to them, especially when it comes to respecting the researcher, their skills and time, and the fact that they've just done some very valuable work for you for free.
The reason that full disclosure even exists as an option is that this process fails regularly. At this point, the researcher is in a position where he's tried to help all the stakeholders in play and focused on communicating effectively. But if the system breaks down, then the next question to ask is, "what leverage do I have to get this done?" So while I'm not an advocate for full disclosure, I understand why it exists because companies aren't always good at following through with these processes.
If a researcher chooses to follow responsible / coordinated disclosure and the vendor goes silent -- or CERT stops responding to them -- is Full Disclosure proper at this point? If not, why not?
CE: I've sat on both sides of this, as a researcher trying to get it done, a consultant for companies on the receiving end. I can't say that full disclosure is "proper," as full disclosure is almost never the ideal outcome at the end of the day. But sometimes the researcher will end up in a situation where it's the only path they have to pursue to get heard.
Overall, this process is pretty weak. The very fact that we're having you're asking this question shows that it's still a problem that we should be fixing despite the fact that it's been around for a long time. Bottom line, clear expectation setting and communication between companies and researchers is a must to avoid this in the first place. The researchers are already at the table - it's up to the companies to learn up and step up.
Sign up for Computerworld eNewsletters.