So You Found a Security Problem, Now What?
Companies should make it easy to report security problems with their products.
June 28, 2005
Lots of people find security problems with hardware and software products, network services, Web sites, and more. Some find problems through day-to-day computer use; others search for security problems purposely either as a hobby or as part of their job.
When you find a security problem, what do you do? The obvious answer is to contact the company that produced the product. However, alerting a company to your discovery of a problem in one of its products can be a challenge. Lots of companies simply don't prepare for reports of problems in their products and services. Their employees don't know what to do when people try to report problems. Nor do their Web sites or product documentation provide any information about who to contact for security matters.
Like many of you, I subscribe to a lot of security mailing lists. I can't even begin to remember the number of times I've read a message to one of those lists from someone asking how to contact a given company. The messages typically say something like, "I found a security problem in Product XYZ. I tried to contact the company via email and received no response. Does anybody have security contact info for the company?"
A good case in point happened last week. Someone found a problem in a widely used product and tried to contact the company via email and by phone. The person couldn't make it past the receptionist and so couldn't offer the information about the security problem to anybody in a position to do something about it. The person posted a description of the experience to a popular security mailing list, and now the company has to endure the embarrassment that comes along with public knowledge of its shortcomings--and the company's customers are more exposed to someone exploiting the publicized vulnerability. Had the company trained the receptionist to handle calls regarding security matters, the incident probably wouldn't have happened. As it turns out, the company in question read the message on the popular mailing list and quickly contacted the researcher. The company also quickly established a "security@" mailbox to which future reports can be sent.
Of course, in other cases, it turns out that the person who posted the vulnerability details didn't try very hard to contact the vendor. I'll sidestep the endless debate about whether vulnerability information should be publicly posted and say that these situations point out that every company that provides products and services should have information listed in plain sight in the product documentation and on the company Web site that shows who to contact about security matters. Even if a company's Web site serves only as an advertising vehicle and not as an ecommerce site, the company should include such contact information.
Likewise, when you're shopping for products, you should check whether a vendor lists security contact information. After all, you want the most secure products you can get, right? If a company doesn't provide a highly visible contact for security problems, the company is making it more difficult than necessary for people to report security problems directly to the company. And as I pointed out earlier, such difficulty can lead to vulnerabilities being publicly disclosed.
The trend seems to be to establish a "security@" or possibly a "secure@" email address that people can use to report potential security problems. Vendors should consider establishing such an address, if they haven't already.
About the Author
You May Also Like