How to verify and respond to vulnerability reports from security researchers

Introduction

Part of doing business in today’s increasingly cyber-world is dealing with security vulnerabilities and bugs that come up along the way. Many organizations first learn about a vulnerability or bug by receiving a security vulnerability or security bug report from a security researcher. Those who have not received one of these reports yet, and those with a less-than-desirable security profile, you may not know how exactly to handle the report. 

This article will explore how to handle security vulnerability and bug reports by detailing what to do when you first get the report, how to verify the report’s findings, how to respond to the report and best practices for what to do after you receive the report.

The report

Before moving on with any tips or best practices, the first thing you need to learn is to relax when you first get it. Do not take it as an indicator that you are necessarily doing anything wrong, but that (depending on the report) something has simply popped up. The important thing at this point is reacting appropriately, which will be explored below.

Security vulnerability disclosure policy

The security vulnerability disclosure policy is the guideline an organization uses to establish who gets reported to, who verifies and other responsibilities with regard to vulnerabilities. One of the most important pieces of information it contains is who security vulnerabilities and bugs should be reported to. The fact of the matter is it can be hard to determine who to contact at an organization let alone getting a hold of that individual once you identify them. 

Sponsorships Available

Sponsorships Available

Sponsorships Available

Organizations have been releasing their security vulnerability disclosure policy online, and the top item it normally lists is the email to send security vulnerability warnings, bug warnings and reports to. The policy should also state (Read more...)