Don't have responsible disclosure terms? Maybe you're a jerk

The law is open to interpretation when a white hat breaks into a computer system with the intention of helping a business out, but both sides still appear to be breaking the cardinal rule: Don't be a jerk.

In 2011, First State Super (FSS) and its handling of information security professional Patrick Webster became the textbook case of how to be a jerk. In short, after Webster informed FSS of a vulnerability in its system, it thanked him, then sent the police to his door to pick him up.

Legal action against Webster was later dropped, and the Australian Privacy Commissioner's own investigation found that FSS had breached the Privacy Act , but it still send a pretty strong message to white hats: Don't seek out trouble.

Dan Kaminsky's White Hat Hacker Flowchart probably demonstrates this best.

Freelance journalist and blogger Keith Ng found himself in a similar position in 2012, where, after alerting the New Zealand Ministry of Social Development of flaws in its system, he feared enough for his safety that he hired lawyers to protect him .

Some may have felt he was overreacting, but having seen what happened to Andrew Auernheimer — the security researcher facing 41 months' imprisonment for hacking AT&T — it was probably a good idea.

"It really comes down to 'don't be a jerk' — on both sides. But that's not legally scalable," Bugcrowd co-founder Jonathan Cran told ZDNet.

"Unless the organization defines what they expect with a responsible disclosure or bug bounty policy, the researcher is often left guessing."

But what is considered responsible disclosure?

Australia Post was left to scramble when one of its customers, Trent Bourne, went to the media after he was unable to get a response from them on Twitter. Bourne did not think that the seven to 11 business days that Australia Post required to respond was acceptable, and instead disclosed the vulnerability to News Limited.

Cran, whose company is in the business of setting up responsible bug bounties, said that the general best practice for websites ranges from 30 to 120 days, but "reasonable" is a very subjective term.

"Who decides reasonable?" he questioned.

"Unless organisations are proactive in defining 'reasonable' or 'responsible' (and setting expectations), often, the researcher is left to decide what it means for both parties. Often, researchers have a sense of civic responsibility to let the public know what they've found."

Yet, in a high-profile incident earlier this week between 16-year-old Joshua Rogers and Public Transport Victoria (PTV), neither researcher nor business has learned their lesson.

Rogers gave PTV less than a fortnight to respond, with several of those days being public holidays over the Christmas and New Year's break, before reporting the issue to Fairfax Media. PTV reported Rogers to Victorian Police in turn.

Perhaps things could have been different if PTV had some sort of bounty program that outlined what responsible disclosure actually entails. Thankfully, that's what Cran is seeing — more organisations coming to it to set up bounties and clear up the conditions under which vulnerabilities should be reported.

According to him, providing such ground rules benefits everyone, and eventually that benefit flows down to the general public.

"It's happening," he said, referring to the number of bounties now out there. "The future's already here, it's just not evenly distributed."

At the very least, I'd hope organisations define what their view of responsible disclosure is, even if it is just to buy themselves some time. After all, it's hard for a company to turn around and say it wasn't given enough time if it was never clear on how much was enough.

Show Comments