Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues? 41
An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.
How about "Thank you!"? (Score:4, Insightful)
How about just saying, "Thank you!" to them?
You could also give them money.
Re: (Score:2)
Absolutely! Anyone who finds any kind of security issue and then reveals it needs to be pursued and punished so severely that everyone who finds such issues just pretends they didn't see it and moves on. That'll make things REALLY secure!
Re: (Score:2, Informative)
Absolutely! Anyone who finds any kind of security issue and then reveals it needs to be pursued and punished so severely that everyone who finds such issues just pretends they didn't see it and moves on. That'll make things REALLY secure!
You seem to be under the mistaken assumption that solving security problems is actually the end goal here. It's not. The end goal is to avoid personal or company liability, in which case congratulating someone is the WRONG thing to do because then you admit the product has a problem, and thus you are liable.
Call the FBI is indeed the only correct answer.
Show there how to break into the best porn sites (Score:2)
A bit ironic, but I'm sure it would be appreciated!
Who cares? (Score:1)
Fix the Bugs (Score:2)
Well for one thing, don't persecute them!! (Score:4, Insightful)
I've heard many cases of somebody reporting a security issue, then getting fired, sued, or arrested as a result. In the case of kids in school, suspended or expelled.
They were HONEST here! They found a security problem and rather than exploit it for personal gain, they reported it, and then get in TROUBLE for it??
It's absurd. It means when people hear of this and find security problems in the future, they'll keep quiet about them because they don't want to get in trouble too.
Re: (Score:2)
I've heard many cases of somebody reporting a security issue, then getting fired, sued, or arrested as a result. In the case of kids in school, suspended or expelled.
They were HONEST here! They found a security problem and rather than exploit it for personal gain, they reported it, and then get in TROUBLE for it??
It's absurd. It means when people hear of this and find security problems in the future, they'll keep quiet about them because they don't want to get in trouble too.
Damn I was going to say "don't prosecute them" but you beat me to it. The parent needs a mod point or two as it is ridiculous when that happens.
By Paying Attention to their Reports (Score:2)
If you demonstrate that you take the report seriously. So just showing a good followup of the report, with progress and fixes.
That means having the resources since without resources nobody'll be happy.
By actually following through (Score:3)
I've been reporting security issues in local businesses that I deal with. One is an ISP that stores and emails users passwords in plain text. Another is a bank exposing credit card numbers in plain text. When I report this shit, I expect actual follow through in fixing them. In the former case, the ISP literally gave me a "not our problem" response, while the bank said they'd contact me back and never did (still need to check to see if this issue has at least been resolved though).
Send a copy of the thank you letter (Score:2)
To every congressman in the country, asking them to repel the CFAA or at least heavily reform it, while also making a huge PR stunt about it.
Simple (Score:2)
Fix the problem, promptly.
just don't let them know you sent it (Score:2)
Hack directly to their screen and display, "Thanks for reporting the security issue. -Anonymous Coward"
oh, i know! i know! (Score:2)
Give 'em money. I'm not even kidding. (Score:2)
Sure, employees will try to game the system at first, and you'll find loopholes in your "rules" of the game. But the end result is net positive:
1) Your employees are *paid* and *happy* to notify the company of vulnerabilities, and
2) You. Fucking. Fix. Vulnerabilities.
Seriously, it's a net win for both the company and the employees. Just do it.
Easy! (Score:2)
Lawsuit. At least that seems to be industry best practice...
Back in olden times... (Score:2)
Give them visible recognition (Score:3)
The best way to reward users is to give them an award that is publicly visible, to encourage others to do the same.
Anecdote: I worked at an organization that, like many others, had a public "share drive." Sometimes I would browse the folders with pictures of coworkers at after-hours events. One time, I decided to see what was on the drive, and I found an Excel spreadsheet with a list of names, last 4 digits of social security numbers, and credit cards. Excel keeps the author's name in the file, so I contacted the author. They replied with "Oh, that file is a temporary file and it gets deleted every 30 days, so don't worry about it." I forwarded the email to the company's head of security, expecting no reply. A month later I was invited to a conference room for something random, and much too my surprise, I was presented with an award in front of 20 or so people in my department. My boss told me it was handed down to him by the head of corporate security, along with an explanation of what I had done. I was in genuinely proud. Because of that event, I was more engaged with the company, and I have taken that security mindset with me. I can only hope that other employees took it to heart as well.
I know the summary is about users reporting internal security concerns. However on a broader note, we need an industry standard fo reporting security issues. Every other day there's some story about an organization that ignored a report, or sued the researcher, or something. We need a standards body to:
1. Create a standard form for submitting vulnerabilities (especially to 3rd-parties.)
2. A standard way to deliver that form.
3. A standard amount of time to wait for a response before disclosing it.
4. A standard form to disclose it publicly, and a list of appropriate organizations to receive it.
5. An industry-accepted expectation that, if you follow these industry standard steps, then you should be safe from lawsuits.
Stop bothering us with security "issues"! (Score:2)
Best way to report security issues and problems? Are you daft?
1. They don't want to be bothered
2. They want to "look good" as cheaply as possibly
3. No liability
Is it worth the expansion? Here on Slashdot? I must be daft, but I'll say a bit more:
As regards #1 and many years of attempting to report problems, I can assure you that they [various organizations who, in theory, might be responsible for protecting your security as customers and users] are NOT grateful. These days the trend has become pigeonholing i
Fix them ASAP. (Score:2)
Litterally, just fix them ASAP.
Take a Cue From our Corporate Overlords (Score:1)
Let's rewind here for a second (Score:2)
My workplace has many security "features". I am a long time IT worker above level III.
From cold boot to being productive takes longer than 10 minutes due to the security feature of being able to use the 2FA token exactly once, then having to wait for the next one (90 seconds on average). This is really a "nice" feature when your infrastructure is completely down and you have C level execs screaming to get i