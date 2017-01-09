Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft Security Privacy The Almighty Buck IT

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues? 20

Posted by BeauHD from the pat-on-the-back dept.
An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues? More | Reply

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues?

Comments Filter:

  • How about "Thank you!"? (Score:2, Insightful)

    by Anonymous Coward

    How about just saying, "Thank you!" to them?

    You could also give them money.

  • A bit ironic, but I'm sure it would be appreciated!

  • I mean this literally... other than user thankers, who cares? Every decade or two, when it's time to thank a user, I go to the user cubicles, and I thank someone who is in their cubicle, within earshot of my voice. I couldn't care if it was security-related, fridge-courtesy-related, or FairyDust-related. A user is a user is a user.
  • If they go to the trouble to document and report bugs, you need to fix them quickly. This isn't limited to security bugs -- any kind of bug deserves attention. That's more thanks than they get from most vendors. Nothing will make me quit a vendor more quickly than being ignored when I make substantial, documented bug reports.

  • I've heard many cases of somebody reporting a security issue, then getting fired, sued, or arrested as a result. In the case of kids in school, suspended or expelled.

    They were HONEST here! They found a security problem and rather than exploit it for personal gain, they reported it, and then get in TROUBLE for it??

    It's absurd. It means when people hear of this and find security problems in the future, they'll keep quiet about them because they don't want to get in trouble too.

  • If you demonstrate that you take the report seriously. So just showing a good followup of the report, with progress and fixes.
      That means having the resources since without resources nobody'll be happy.

  • By actually following through (Score:3)

    by darkain ( 749283 ) on Monday January 09, 2017 @06:15PM (#53637557) Homepage

    I've been reporting security issues in local businesses that I deal with. One is an ISP that stores and emails users passwords in plain text. Another is a bank exposing credit card numbers in plain text. When I report this shit, I expect actual follow through in fixing them. In the former case, the ISP literally gave me a "not our problem" response, while the bank said they'd contact me back and never did (still need to check to see if this issue has at least been resolved though).

  • To every congressman in the country, asking them to repel the CFAA or at least heavily reform it, while also making a huge PR stunt about it.

  • Fix the problem, promptly.

  • Hack directly to their screen and display, "Thanks for reporting the security issue. -Anonymous Coward"

Slashdot Top Deals

Advertising is a valuable economic factor because it is the cheapest way of selling goods, particularly if the goods are worthless. -- Sinclair Lewis

Close