Lately I’ve seen several cases where people openly discuss discovered web vulnerabilities in big corporations’ web sites, and often disclosing technical details because the person that discovered didn’t find or didn’t bother looking hard enough for a phone number or email address to the relevant security response team.
Even though some of the cases above are due to lack of google-fu and perhaps “foul” play, it does prove a good point: Corporations can easily dodge a lot of bad press and hacking attacks if they provide a easy way to disclose vulnerabilities in a secure manner. An email address or phone number will often suffice, or even better, a SSL-protected response form. Don’t make white hat hackers go through your 3 lines of tech support defense (and don’t brush them off if they’re not a customer!), chances are that they won’t bother and rather disclose everything on their blog. In all fairness, they are trying to do you a favor, and you force them through countless mind-numbing, nausea-inducing, muzak-filled phone calls with support personnel that wouldn’t know whether to escalate a case unless its a bomb threat against corporate headquarters.
Think about it, allowing people to easily and securely essentially gives you a free (partial) pentest, which sure as hell beats having to pay guys like me to perform the same services. You should embrace it, not freak out (or freeze). OK, so some hackers will disclose publicly anyways, but I’m willing to guess that 99 % of the people out there would prefer to be honest.
So corporations: This is a win-win situation, vulnerabilities are fixed responsibly, and you avoid bad press. Lets face it, you’ll always have vulnerabilities, and I know you prefer to fix them before they’re on the front page of NY Times or trending at Twitter.
Facebook have got it right, so why don’t your corporation do the same? By embracing the white hats, they get their 15 minutes of web fame, and you get your holes plugged (and I mean that in the nicest possible way). Put a link in the footer of your front page, and acknowledge people that help you out for free. It is basic courtesy, right?
Lastly, a free protip: Make sure that the address pops up when googling for “Company X security response”.