All technology contains bugs. These bugs frequently have security implications that may be exploited by criminals, but are more often discovered by friendly parties — security researchers, academics, hackers, vendors, professionals, even law enforcement — who want nothing more than to see the flaw resolved safely. Due to this inescapable reality, it is critical that all organizations who build technology also have a safe process for vulnerability disclosure.
Unfortunately, many disclosure attempts from researchers continue to fall on deaf ears, and all Internet users are at increased risk as a result. This issue was recently highlighted in a letter to the Internet Policy Task Force:
Researchers who discover a serious security flaw in a piece of software or website should not have to spend hours or days searching for the contact information for the information security team at the company or organization responsible for the vulnerable code.
[…]
Providing security researchers with an easy way to report vulnerabilities is not just an industry best practice (ISO 29147, it is now a key component of what the Federal Trade Commission considers “reasonable and appropriate security.”
We agree.
That’s why we’re launching the HackerOne Directory: a community-curated resource for identifying the best way to contact an organization’s security team. Increasingly important, the Directory will also document the existence of the organization’s responsible disclosure policy and any associated bug bounty programs.
Image: The HackerOne Directory
Researchers
- Share your disclosure experiences and add security team contact information to the Directory so others can benefit from your work.
- When you need to contact a security team, search the Directory for their contact information.
- If an organization hasn’t published security contact information anywhere, we recommend considering assistance from your local CERT.
Organizations
- Publish contact information for receiving information about potential vulnerabilities in your products or online services, such as a security@ email address or a HackerOne program. See ISO 29147 for additional guidance or contact us.
- Search the Directory for your organization to ensure that your security team’s contact information and disclosure policy is accurate.
Empowering security researchers to perform their important work more efficiently is central to our mission, and we hope this Directory will prove to be a useful resource. Questions, complaints, or suggestions? All feedback is important to us and we’d welcome hearing from you.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.