Responsible disclosure is the foundation of ethical hacking. When Detectify employees give talks about what we have learned from hacking well-known companies like Google and Slack, people get confused. Is hacking even legal? What do the companies say when you hack them? Are you going to get sued for going public with a vulnerability you found on Facebook? It all boils down to a policy called Responsible Disclosure, and a monetary reward system called Bug Bounty. We have gathered 10 frequently asked questions about responsible disclosure and bug bounties and explain how it all works.
What does Responsible Disclosure mean?
The concept is exactly what the name suggests; it is a responsible way of disclosing vulnerabilities. When a company implements a Responsible Disclosure Policy, it means that they allow freelance ethical hackers to find and report vulnerabilities to them. It’s a way of saying “It’s okay for you to hack us and report the vulnerabilities that you find on our website. We will not press charges or call the police when we receive your report, but we appreciate your efforts and will act on your findings as long as you do your research in a responsible and ethical way.”
What is the difference between Responsible Disclosure and Bug Bounty?
Responsible Disclosure opens the door for ethical hackers to find and report vulnerabilities to you. Bug Bounty, on the other hand, means offering monetary compensation to the ethical hackers who find vulnerabilities. The monetary reward is often based on the severity of the vulnerability, i.e. a typical “Game Over”-vulnerability like Remote Code Execution often pays more than a “simpler” vulnerability.
“How much do you have to pay if you have a Bug Bounty program?” might be your next question. Again, there are no standards to follow here, but a good idea is to go through existing ones for inspiration and benchmarks. A recommendation may be to rate the different types of vulnerabilities and pay the most for the most critical ones. A more experienced and skilled researcher will strategically go for the Bug Bounty programs that pays more, and the budget expectations increases depending on the size of the company. A security researcher will not have the same payout expectations on a local online store compared to large brands like Airbnb or Uber.
How do you set up an Responsible disclosure policy?
1) Before launching a Responsible Disclosure policy, you should first discuss the initiative internally, so that everyone involved is aware of what it means and how it will affect them. Secondly, you need to decide which sites are in scope, i.e. what you would like security researchers to investigate. For example, you might host content on a third-party provider, which means that you can’t get access to their source code and fix the vulnerabilities yourself, you can only ask the researcher to get in touch with them. Or you might have support pages or blogs that should be out of scope, since consequences would be limited even if they were compromised. Determine what is in scope, how the vulnerabilities should be reported, who handles the reports, and what the response process should look like.
2) Set up a page called Responsible Disclosure/Report Vulnerabilities or similar. Describe which pages are in scope,, what types of vulnerabilities can be reported and how researchers should report them.
Here’s a couple of examples of how a Responsible Disclosure page could look:
3) Set up an easy way for security researchers to contact the right person at your company. You can use firstname.lastname@example.org, but remember to decide who will get the emails, so that they do not fall between the cracks, or get forwarded to employees that shouldn’t get their hands on potentially very sensitive information. (more about this under “Common mistakes”).
4) Decide if you’re going to hand out a so-called “bounty” as a token of appreciation. You can, for example, reward the ethical hacker with money or a t-shirt with a handwritten thank you note. Hackers also appreciate updates on the status of their vulnerability report.
Photo: Martin Fältström
Detectify’s Frans Rosen says that he has never gotten as many t-shirts as when he started with ethical hacking. It’s a common misconception that most ethical hackers are only driven by money – recognition and appreciation are two other important drivers.
What companies use Responsible Disclosure?
Google, PayPal, and other US-based tech companies were early to implement and utilize Responsible Disclosure and Bug Bounty programs. Today, however, the trend has spread and more and more different types of companies open up the possibility of getting help from ethical hacker community.
Many mistake Responsible Disclosure and Bug Bounty for something that only benefits the private sector, but even governmental agencies like the US Army, the US Airforce, and the Pentagon (!) have opened up limited-time bug bounty programs together with platforms like HackerOne. Several Detectify security researchers were invited to exclusive hacking trips organised by governmental agencies, which shows that the security mindset shift is not limited to the private sector. The main reason for this is that bug bounty programs pay off. When 1410 ethical hackers were invited to hack the Pentagon, the first bug was reported after only 13 minutes.
Who does Responsible disclosure and Bug bounty programs attract?
Ethical hackers, white-hat hackers, security researchers or good hackers. That is, people with an interest for security that want help companies and/or earn money legally.
The opposite of white-hat hackers are black-hat hackers who look for vulnerabilities in order to blackmail companies, access corporate secrets, or steal sensitive customer data such as credit card information.
What are the risks associated with Responsible Disclosure?
Unsurprisingly, this is a question we hear very often when we talk about ethical hacking. The thought of opening the door and allowing hackers to find security issues can sound intimidating.
Our recommendation is to use legal advisers to map out any legal risks specific to your case, but here are some important points that might help:
1) Responsible disclosure is all about proving that there is a vulnerability on your site – not exploiting it. The standard guideline is to stop digging immediately after obtaining a “proof of concept”. The ethical hacker should never, ever use the vulnerability to harm the company for their own gain. Remember to formulate your guidelines as explicitly as you can on your Responsible Disclosure page. If a hacker were to ignore the guidelines, this could lead to legal consequences.
Of course, there have been incidents that could be placed in a grey zone, but such situations are usually the result of unclear policies. One well-known example is the One Million Bug incident a few years ago where a security researcher, according to Facebook, went too far in his frustration when Instagram acted too slowly on the bug he had reported.
2) A Responsible disclosure policy should also state that the security researcher should not publicly disclose a vulnerability before it is fixed. If a security flaw is disclosed before it is patched, other hackers could learn about it and use it for malicious purposes.
3) Keep in mind that every skilled security researcher is pretty confident that a black-hat hacker, if they have put their mind to it, will be able to access your systems. By aligning yourself with the security community that is able to keep up with the latest hacker knowledge and attack methods, you can get help and expertise that you cannot find anywhere else.
4) A problem that you might run into, is people reporting vulnerabilities that are not really an issue or are found on websites that are out of scope, and claiming a bounty for it (this is sometimes referred to as a “beg bounty”). Make sure to set up a proper Responsible disclosure page, and refer them to that information.
5) As a developer, it is almost impossible to keep up with all the latest security bugs manually. If Google, Facebook and PayPal are unable to do it, why would your department succeed? Using external help in the form of crowdsourced and automated security or Resp disclosure is a must in a world where technology and black-hat hacker methods are ever-changing.
What is a Security Hall of Fame?
Ethical hackers are often driven by recognition. A Security Hall of Fame is a great way to reward ethical hackers who report vulnerabilities to you, and it also works as a nice motivator for other ethical hackers to surpass the currently listed ones. It is a good option for companies that do not wish to reward security researchers with money.
Setting up a Security Hall of Fame is simple. You simply list the hackers who reported the most serious vulnerabilities to you with their name, social media handle and image.
Will the ethical hacker automatically be allowed to go public with the vulnerability as soon as it is patched by the affected company?
No, not necessarily. We usually encourage information sharing as the community’s development depends on researchers sharing knowledge and detailed write-ups. If your patched vulnerability is the subject of a security write-up, this does not mean your brand is not trustworthy. It shows that your company encourages transparency, values security, and can participate in the discussion in a forward-thinking way.
When it comes to disclosure, it is up to you to decide how to set it up. Many companies do not allow the researcher to write about the finding at all, but you can also choose so-called full disclosure or partial disclosure, where not all the technical details are outed.
As mentioned above, security flaws do not have to lead to negative PR. An awesome example is when Detectify’s Frans Rosén hacked internal messaging tool Slack in 2017, and discovered a method that could give him access to all internal communication. Slack’s CISO responded to his report immediately and within 5 hours on a Friday night (!) the bug was patched. When we, with Slack’s permission, wrote about the event and the media picked up the news, the articles were extremely positive, and Slack were praised for their transparency and quick response time.
Why would an ethical hacker report a vulnerability even if they don’t get paid?
Detectify is founded by a group of top ranked white-hat hackers who have reported hundreds, if not thousands, of vulnerabilities, spent hours finding a way to contact the person in charge, and made countless follow-ups to ensure vulnerability is fixed. We asked them the following question: “What drives you to keep doing this, even if you are not paid for it?”
I’m striving for perfection, says Fredrik, 27, Detectify founder and an ethical hacker who is listed on countless Security Halls of Fame and has been named Security Expert of the Future by Symantec. I want systems to be perfect, when I use a system or visit an application, I want it to work flawlessly. When it does not, I want to help, I want to get the technology on the internet to work without bugs.
Just like a painter will notice that a badly painted hall, or a designer will notice things they would have done differently in an ad, an IT security-minded person will notice errors or vulnerabilities in your system – whether or not they want to. It’s just there in front of us, and it makes no sense to shut the door when you can allow us to help you, says our security researcher Linus, 18, who started his career by hacking Google legally through Responsible Disclosure at the age of 14. He claims that Google’s positive response and bug bounty program have contributed enormously to developing his security interests.
Hear more from the 100+ ethical hackers Detectify works with through our Crowdsource platform, and learn what drives and motivates them.
Common mistakes companies make when implementing Responsible Disclosure?
Keep in mind that the security community is busy, both internationally and locally, and rumors about companies that make mistakes spread rapidly. A very common mistake is that no one responds to the reports even though the company has a responsible disclosure page. Another mistake companies make is to neglect fixing the vulnerabilities reported by researchers. From the perspective of an ethical hacker, this makes a company less attractive and the hacker is unlikely to look for vulnerabilities on their site again. If you implement a responsible disclosure policy, it is important to do it properly and prove that you take security seriously.
How does Detectify work with this?
1) Our own Responsible disclosure and Security Hall of Fame
Even though we are founded by ethical hackers who have found critical vulnerabilities in most known tech brands, we are well aware that internal competence is not enough. We have our own responsible disclosure program and Security Hall of Fame and encourage you to report any vulnerabilities, flaws and bugs you come across on our website.
2) We are from the white-hat hacker community
Our story started in the white-hat hacker community and we still work closely with ethical hackers to keep our scanner up to date.
3) Our tool is powered by 100+ ethical hackers
The handpicked security researchers in our platform constantly report their latest findings to us, making sure Detectify covers more programming languages and technologies than ever before. Here’s a 1,5-minute video explaining how we work with the world’s best white-hat hackers.
Detectify is a web security scanner that performs fully automated tests to identify security issues on websites. Our global network Detectify Crowdsource allows us to work side by side with the white-hat hacker community. When researchers submit newly discovered exploits, we incorporate them into Detectify’s automated security service. Every time a reported issue is found on any of our customer’s websites, the researcher is rewarded. Are you interested in joining? Drop us an email: crowdsource [at] detectify.com and we’ll tell you more.