Media
The balancing act of responsible disclosure
DALL-E prompt: create a realistic image of a cyber hacker balancing on a tightrope. On one end is a small gathering of angry lawyers and on the other.
Disclaimer: This isn’t legal advice
Us programmers may not have to deal with sharp-edged tools or heavy-duty equipment but we still have abilities at our disposal that can cause damage to ourselves and others. One of those is a sense of curiosity which isn’t normally viewed as a risk, but what follows, is a cautionary tale of how it could be.
Here’s how even a simple act, like right-clicking on a webpage, could have terrible consequences.
Firstly, let’s look at what “responsible disclosure” actually is.
It’s the process of notifying the owners of a system that there may be a security issue. This is specifically done in a way where the system owner is the beneficiary and not the reporter: a security issue has been reported to help and not to win favour or elicit a reward.
That in itself seems … responsible … and helpful even, so how and why can it open up a can of worms? The answer lies with what happens next.
No one likes criticism, and companies in particular don’t always appreciate it, when it may suggest a lack of care or when that criticism is a little too public. With this in mind, and under the assumption that someone actively tried to find a vulnerability instead of just happening upon it, it often means the disclosure recipient isn’t too happy to receive the report.
This is how a programmer’s curiosity can get the better of them: we like to understand how things work and when they don’t work it’s in our personality to figure out why.
Unfortunately, the general definition of “hacker” is way too broad, and the typical understanding of what the courts could view as “a programmer’s curiosity” is right on the border between “nothing to see here” and “cybercrime in progress”.
This is a problem we, as programmers, frustratingly won’t be able to fix and need to work around for our own safety.
South Africa has a relatively new set of laws governing this curiosity, called the Cybercrimes Act of 2020. One of the goals is to criminalize “illegally accessing a computer system or intercepting data” with penalties of up to fifteen years in prison.
This is in line with many other countries and on the surface is well-intentioned, however, the problem with new laws is that they have yet to be tested, which means the room for interpretation is vast and concerning.
What does “illegally accessing a computer system” really mean outside of the courtroom?
If you have no legal reason or right to access a computer system (e.g. a website), then sure, this is quite clear.
But what about a website that you have a valid reason to visit, for instance, your banking site? What would make the use of it illegal?
Clicking in the wrong place?
Determining the validity of an SSL certificate? Looking at how the site was constructed?
Verifying what information is being sent from your browser? Scanning to find out what user behavior trackers it is using? Finding out where the servers are located?
A few years ago in the United States, a journalist faced prosecution for pressing F12 and viewing the source of a website. While charges were dropped in this case, you can see how low the bar is for what could constitute “hacking”.
Do you really want to bet that a magistrate understands the nuance of how all of this differs from the pop culture definition of hacking?
How should the programmer (i.e. the well-meaning hacker) and the company deal with situations like this?
As a company, what do you do about all this? The knee-jerk reaction is to:
- Step 1: hope it doesn’t happen to you, but if it does
- Step 2: threaten to prosecute
While this may make sense in a way, companies risk never hearing about vulnerabilities which may end up making this worse than ever. For some organizations, not hearing about a vulnerability may be credited to how secure their systems are. While this is possible, they would be in the extreme minority of organizations whose systems are truly secure.
There are a few things that a company can do to prepare themselves for the inevitable notification telling them something bad has happened.
- Encourage continuous and frequent internal discussions about security. In my experience, security checks get pushed to the last minute which makes fixes a political debate instead of a business necessity.
- Get involved in the local cybersecurity community to get familiar with the latest best practices and the Tactics, Techniques, and Procedures (TTPs) of actual hackers who try to do real damage.
- Consider using a bug bounty program like HackerOne. – Hint: you probably don’t want to be on a corporate network when you open that link 😉
- Run frequent in-house tests to find vulnerabilities yourself. Just because you’re using the latest and greatest tech doesn’t mean it’s without problems.
- Be open-minded with the tools you use to run security checks. If you’ve blown the budget on something fancy, great. Use it. But don’t only use that.
- Make it easy for someone to get hold of a technical person to report a vulnerability. Expecting the “hacker” to call your support line and explain what they have seen is the same as asking them not to get in touch at all. Luckily, there is a web standard to help with this. It’s called security.txt and is a simple way to attach technical contact information to your site in a way that security researchers (that’s a more accurate way to describe “hackers” who mean well) can easily find. Unfortunately, from my research, this isn’t widely used yet. Let’s hope it will be in the future to lighten the load of those call center staff taking all the vulnerability queries!
On the other side of the tightrope is you the presumably innocent and well-intentioned, member of the public. What should you do if you find a vulnerability?
First, and this comes from experience, be very careful with your next move.
In a perfect world, you’d ping the relevant CEO, extolling the benefits of Lockheed Martin’s Cyber Kill Chain and explaining how they may have inadvertently violated the POPI Act, particularly Section 19. In response you receive a hand-written thank you note along with a company-branded hoodie and a LinkedIn endorsement.
The reality is that unless you have been explicitly tasked with looking for vulnerabilities within their systems, you’ll probably not be on the receiving end of any brownie points. Instead, you have woken up their in-house counsel for some court time. Be wary of those circling helicopters!
So back to the question? How do you disclose responsibly? The only real answer is, and it’s rather disappointing, you don’t. Unless of course, you are willing to gamble with how the company will respond. And that’s a big bet when all you’re likely to get out of it is; some goodwill and the possibility of a press release.
The latter is incredibly unlikely because companies aren’t keen to show a weakness and the last thing they would want is to open the floodgates for more “responsible disclosures”. Particularly if they have set a precedent of not suing.
Making use of any burner email accounts you may have lying around is just as dangerous because things can still have a way of being traced back to you if you aren’t careful.
How else do you scratch that curiosity itch when it comes to all things cybersecurity?
- Sign up for cyber-ranges like Tryhackme and HackTheBox where you can simulate finding vulnerabilities of various flavours.
- Give Bug bounties a try as they may net you some prize money as well as achievements to add to your CV.
Be careful with your curiosity when around systems that don’t belong to you.
About Simon Steward
Simon is a senior consultant at CyberPro Consulting (Pty) Ltd, he is a seasoned leader in the tech space and a CEH Master with an interest in cybersecurity. He also founded the JavaScript in South Africa conference.
We can help you grow your business
Driven by a commitment to client satisfaction, collaboration, and cutting-edge solutions.
Years Experience
Delivering excellence through decades of expertise, innovation, and trusted solutions.