It was Thursday night and I was sitting around minding my own business on the internet. While using a particular website, the UI controls started to bug out. After a few minutes of troubleshooting the obvious, I decided to open up Firebug and see why the application wasn't behaving. After about 15 minutes, I discovered a critical vulnerability in the application that impacted the entire user base (read full compromise). This lead to the next step of asking myself "well, what do I do now?"
My dilemma wasn't about whether or not I should inform the company; I felt ethically obligated to. Without getting into my thoughts on vulnerability disclosure, in the context of this situation, I could not in good conscience ignore a vulnerability like this but I did have one other problem, and that was figuring out who to get this information to and how to do it.
In case you didn't know, hackers hate inefficiency.
As was the case in my situation, security issues can be discovered unintentionally and it's crucial that businesses publish contact information for their security resources to ensure that these things can be handled correctly. Many times, people try and contact general support first, but for large organizations, this can be an absolute nightmare. As someone who has worked at companies with massive call centers, I can assure you that calling up general support and saying "I have discovered a critical vulnerability," will still require the phone call equivalent of the Great Race in order to get passed through to an internal asset who can receive this information and act on it. When this happens, some may get frustrated and give up saying, "I am trying to help and provide valuable information, but they're making it so difficult!" If someone has a vulnerability to disclose and they decide to walk away, you could be in a world of hurt later on. Regarding my recent experience, when I attempted to contact support, they informed me that they would pass my information along and someone would respond "if they are interested." This is not acceptable from a security standpoint and probably not acceptable from a legal standpoint either.
In addition to listing a security contact, support staff at all levels should have a playbook for how to handle vulnerabilities from customers and 3rd parties. When a customer calls in and says "my credit card was declined," there is a script that support can use to assist the customer. If someone calls and says, "I have identified a serious vulnerability in your service/application," it should be no different. Or, consider a different scenario that's less than ideal and one that I've seen on a few occasions. Let's say that someone is shopping on your site and they connect to a sales rep using the live chat widget. The conversation goes like this:
"Hello! Thank you for using $E-commerce. My name is Amanda, how may I assist you today?"
"Hi Amanda. I just wanted to let you know that due to a flaw in your shopping cart app, I just dumped your credit card database. Have a good day!"
*User has disconnected*
What does your playbook say happens next? Who does it get escalated to?
When it comes to security vulnerabilities, exposure is critical and having properly trained staff who can manage these issues efficiently throughout the organization is a great way to minimize exposure.
So what's the takeaway?
- Publish contact information on your site for individuals or a general, dedicated mailing address dedicated to security problems
- Maintain a valid and current security contact in your WHOIS records
- Educate front-line staff on how to receive security notifications from customers and 3rd parties
- Have a rapid escalation procedure for reported security issues
In short, security vulnerabilities are likely a huge deal for any company, so make it easy for people to get you that information, however you do it.