How to fix Responsible Disclosure

tl;dr: Adding responsible disclosure information to robots.txt can help save time.

Companies don’t want to fix their site’s vulnerabilities.

At least, it seems that way from the current state of responsible disclosure policies.

Responsible disclosure is a vulnerability disclosure model in which researchers report weak spots in a company’s system, but allow time for the company to fix them before revealing the details publicly.

An organization can create a Responsible Disclosure Policy to inform researchers how to disclose vulnerabilities, as well as provide a guideline on how to act with regards to researching the system. A good responsible disclosure policy helps to keep sites safe by clarifying what the parties can expect from one another and by allowing white hat researchers to contact the right departments easily.

Few companies have responsible disclosure policies

The current state of information on companies’ responsible disclosure policies is still minimal. Our recent source code scan with InternetSecure.today showed vulnerabilities in 15.000 different websites within a matter of hours. But contacting these sites about their security risks proved a lot more difficult and time consuming.

Only a handful of companies have a page dedicated to responsible disclosure on their corporate website and some simply publish an email address, but most don’t have a policy at all. This discourages researchers to mention issues, since it takes days or weeks to contact the right person. Eventually, and understandably, the researcher will give up and the security issue will still exist.

How to report a security issue now

First, I look for the whois information. However, this information is often outdated, because it’s a pain to update. So I send emails to security@company and cert@company, look up the business in the HackerOne directory and google responsible disclosure for that company.

There has to be an easier way.

I believe it’s in a company’s best interest to make it easy for researchers to report site or system issues. Encouraging them to help keep your systems safe, by sending a goodie or including them in your hall of fame, is even better.

So what should we do?

A far easier option would be to include the responsible disclosure information in the robots.txt by adding an extra option, like the sitemap, that’ll allow contact information. The responsible disclosure URL can then refer to a HackerOne URL, a policy page on the company website or an email address by using mailto. This can even be expanded with a custom scheme that refers to a JSON file with extended properties like bounties, policies and scoping.

For example, add the following to the robots.txt:

ResponsibleDisclosure-URL: mailto:security@dutchcoders.io  

Not only is the robots.txt far easier to update than whois information, it’ll also allow cross-site information. So a marketing website can link to the responsible disclosure on their corporate website, but it can also include contact information for non-website related issues, such as other products or services.

Any thoughts?

What do you think of this solution?

Did I miss anything or do you see an even easier way? Feel free to share your ideas with me in the comments below. It’d be great to hear from you.