When a criminal hacks a website; that’s not news; it happens all the time. But when a website hits back at a hacker – literally – that’s news.
This appalling story by Guise Bule caught our eye last week at Synack. Bule describes what happened to a security researcher who went the responsible disclosure route on an insecure application in the casino industry. The researcher (actually two) had found a security vulnerability and attempted to report it responsibly. However, because no program rules were pre-established, the discussion morphed into a bounty negotiation. Read the story for the gory details, but (spoiler alert)… the story ends with a physical assault on the security researcher. Facts are still emerging and the bald truth has yet to be established. Regardless, it brings up an essential potential danger of security researchers working directly with companies that deserves commentary.
In this story, the security researchers chose to work directly with the software manufacturer to report a vulnerability and seek resolution, aka responsible disclosure. Responsible disclosure programs encourage security vulnerability reports via a public website, giving the company the opportunity to remediate the vulnerability prior to any public disclosure.
Trusted Vuln Disclosure
At Synack, we’ve surrounded ourselves with talented, ethical researchers who responsibly find vulnerabilities and work hard to help companies close them. Those exclusive 1,000 that we work with are the beating heart of Synack, and we are committed to protecting them while giving them opportunities to practice ethical hacking. This group typically focuses on paid testing with well-defined payment rules – not responsible disclosure.
Public responsible disclosure programs are different from paid testing. These programs allow anyone on the internet to submit what they believe is a valid vulnerability. It puts companies in a position of being forced to respond to researchers in a timely fashion. Synack has found that most organizations want something that wraps more trust into the process. We encourage our customers who utilize paid testing to participate in managed responsible disclosure to round out their security and make it more robust.
Managed responsible disclosure puts an independent third party between the vuln submitter and the vuln receiver to help avoid conflicts. Using this model allows more researchers to feel comfortable participating in security research and makes companies more willing to invite outside hackers in, ultimately resulting in safer software.
Here’s how we do it and why.
In the managed responsible disclosure approach, researchers submit their vulnerabilities directly to us on behalf of the software author. Regardless of the customer’s ability or bandwidth to process outside vuln reports, the Synack team immediately reviews and works with the researcher to see if the vulnerability is valid and exploitable. We treat every single researcher with the utmost professionalism, from the first-time hacker submitting career report #1, to the seasoned professional who’s Level 0x05 on the Synack Red Team. The researcher gets closure while doing good and getting on a responsible disclosure leaderboard. If the researcher is talented and trustworthy, they may also get invited to Synack’s exclusive SRT where they can hack on Synack’s private clients for significant monetary compensation.
What we don’t do for managed responsible disclosure is offer financial incentives (Bounty incentives are part of our other offerings, including Crowdsourced Vulnerability Discovery (CVD) and Crowdsourced Penetration Tests (CPT)). We find that for responsible disclosure scenarios this ensures that researchers who choose to submit a vulnerability are doing so for the right reasons. Further, there’s no reason for the conversation to evolve into a dangerous negotiation. There is no incentive for altruistic researchers to hold back on finding security vulnerabilities or for companies to have doubts about the reporter’s Synack-validated claims.
Managed responsible disclosure insulates companies and researchers with a professional organization that keeps everything on the record for the two parties. Synack commits to have the bandwidth to respond professionally at all times, for both companies and researchers. In the story above, that didn’t seem to be the case when the casino software maker did not rapidly remediate the reported vulnerabilities.
Further, we specialize in working directly with security researchers to triage and analyze security vulnerabilities. We’ve evaluated tens of thousands of vulns over Synack’s history and we can quickly get to the root of an issue better than companies who don’t deal with the same volume. The researcher knows that Synack is properly confirming their report, without any lag or slowdown. Using this approach, there would be no reason for a researcher to confront a slow security team leader in a live forum, so their conference badge can get ripped off while on video.
For organizations who wish to augment a managed responsible disclosure program with a paid penetration test, they have even more protection while accessing higher-skilled talent than the typical responsible disclosure program. Paid tests utilize only our vetted and highly-skilled Synack Red Team for measured, monitored security research (sometimes on non-public assets) through the Synack platform. The platform and Synack policy allow hackers to remain anonymous while conducting research. Companies can access a greater talent pool than that of a responsible disclosure program, but still have multiple layers of Synack protection throughout the process. All payment decisions are made by Synack, which further protects organizations from financial demands, such as what happened in this recent case and the Uber case of 2018.
Synack is a premier destination for the world’s best security researchers and we are committed to maintaining this quality community. By providing these protections for companies and security researchers, we strive to create the most inviting environment for the best researchers, to protect the most important brands around the world.