Cyber Maturity

Bug bounties and ethical disclosures make life easier for everyone (on average) to discuss cyber security as adults. These things help make the Internet a safer place to be. While not perfect I think it is much better than it was.

I do not miss trying to ethically disclose circa 2005-2010. I do not miss the sweaty palms while waiting to see if it was going to be "thanks!" or "here is another lawyer's letter. Cease & Desist!".

As a security researcher you would struggle to find someone to talk to. When you found someone you would have to clarify what the problem was and how you were not attacking them etc. I would also promise this:

"I am not going to ever talk about the specifics to anyone. You are under no obligation or threat from me. Just maybe consider fixing this. Have a nice day"

I have long been baffled by how communications of this ilk could result in a legal threat. It seemed hard to justify when the bad guys are targeting you and not telling you anything. That a few folks were willing to look into some stuff for free and tell you seemed like it would be welcomed. It really was not that widely welcomed.

But really it was being young and naive with a dash of idealism. Who doesn't want to fix the world!

The mature version of me sees the layers of pressure which could generate the legal letters. It is all about authorisation to test which organisations put in place before legitimate security testing can commence. You were not authorised to do so and therefore have a cease and desist.

Where the line is blurred for me is this; should a user be entitled to take a look around if they are going to store their personal data in your application? I am sure the terms and conditions of use are expressly created to mean that the line there is not blurred legally but I suggest it is morally.

I was not prolific in what I disclosed. However, this meander had me fondly remembering talking to Microsoft's Security Team for three reasons:

1. A visible point of contact
2. A process where I wasn't threatened; and
3. Even a couple of acknowledgements in 2008 and 2009:

https://www.microsoft.com/en-us/msrc/researcher-acknowledgments-online-services-archive

So you want to take your security seriously? Start with the basics:

1. Identify a point of contact to triage any reports.
2. Stick an email address and a PGP/GPG key online.
3. Stick a disclosure process online.

Starting a bug bounty is like painting a target on yourselves. Following these three steps is minimal and a great starting point for Cyber Maturity.