An anonymous report claims that a ton of your company’s customer data has been exposed. A sense of calm is in the air as you enact your vulnerability disclosure policy. You save the day, get a promotion and rainbows and unicorns fill the sky. Then you wake up!! You don’t have a vulnerability disclosure policy. Panic quickly washes away the sounds of harps.
You’ve got to verify this incident quickly, you’ve got to handle it (mitigation and disclosure) well and you need to carefully manage the narrative in case the story goes public. This isn’t one of those ‘2 out of 3 ain’t bad’ scenarios — you need to do all three. More than anything though, this information needs to get to the right people quickly to avoid making the problem worse. Who are the right people!?!?
In many cases, when someone stumbles upon exposed data, their first impulse is to report it. Your job is simple — make it easy for them to do the right thing. In some cases, this individual is a customer and realizes their own personal data might be at risk. They want you to know about the problem and they want it to be fixed, because the risk is personal.
Making it easy to report issues doesn’t have to be a lot of work. A simple web page or form that’s easy to find and includes instructions on how to report issues can go a long way.
So why do we often see it handled so badly?
The recent Panera Bread debacle is an excellent example of how NOT to handle vulnerability disclosure.
In most cases, the situation is handled badly because no one has taken the time to prepare for this sort of situation. Either that, or the business is suffering from ‘nothing-bad-has-happened-yet’ syndrome. Yes, there are (Read more...)
*** This is a Security Bloggers Network syndicated blog from The Ethical Hacker Network authored by Adrian Sanabria. Read the original post at: http://feedproxy.google.com/~r/eh-net/~3/Mg-NGQGfAn0/