How Should I Report An Exploit Responsibly And Should I Get Paid For It?

There is always a big controversy within the security community on how you are supposed to conduct yourself when you find an exploit that can harm either a web site or a program.

There are a legion of hackers from around the world, both black hat and white hat, that take software and try to find any weaknesses in them.

Most of these people do it for fun while others are paid to do it so you always have new vulnerabilities and exploits being found every day.

These are exploits that a bad guy who knows what they are doing can take advantage of.

Since this is the fact, there is a controversy on how these exploits should be presented to the company on whose software that it affects.

how would you report an exploit?

how would you report an exploit?

Responsible Reporting

There are two controversies that are in play when it comes to responsible reporting of an exploit.

The first controversy is whether you should release the vulnerability to the public or should you tell the people who made the software first.

There are pros and cons from both of these situations.

If you tell the public first and the company decides that they are going to delay a fix, then the bad guys will have a known vector of attack.

This is not good for anyone involved.

If you tell the company that there is vulnerable code in their program and they decide that no-one knows about it so they are not going to fix it, then people are still left vulnerable.

The big difference now is that they do not have the choice of whether to turn the software off because they do not know that they are at risk.

To Pay Or Not To Pay

The other big controversy is whether they should be paid or not for finding the exploit in the company’s software.

Finding these exploits is hard work and most software companies barely say thank you to the person who finds them.

This is leading to a backlash and more and more security researchers are starting to want to be paid for their findings.

Some hackers are even selling the exploits to the highest bidder.

If there was an industry-wide practice to pay the people who find these security holes, then there would be less of a reason for people to sell the holes to the bad guys.

You could get paid without the risk involved.

If you find a hole in a piece of software or on a web site then there are several things that you could do to report the hole ethically.

Before releasing the vulnerability to the public you could tell the company first but let them know that they only have a certain amount of days to fix it or you are going to go public.

This way, you have given them the chance to fix the hole before the bad guys can get to it.

Also let them know that if you are not paid then you will write a paper about your findings.

You should be compensated in some way for your hard work and if they will not do it, then there are other ways.

Finding holes in security can be a thankless job; luckily for us there are good guys that like to do it as much as the bad guys do.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Trackbacks

  1. […] This post was mentioned on Twitter by Justin Bellinger and Lee, Chad Choron. Chad Choron said: How Should I Report An Exploit Responsibly And Should I Get Paid For It? http://tinyurl.com/3xn7ck8 […]

Speak Your Mind

*