An Open Letter to the Internet
In my day-to-day activities, I often find security vulnerabilities in websites, software, and services.
When I find these issues, I make an effort to contact the affected parties to disclose the vulnerabilities responsibly. Unfortunately, many vendors and website owners do not supply contact information on their site, or make it needlessly difficult to contact.
Back when I built my first website in the mid-90s, it was common practice to supply a webmaster's email address at the bottom of every page, or on a 'contact' page. I don't know why this practice seems to have died out, but it needs to come back.
Website Owners: Please put an email address or at least a contact form on your website for users to contact you regarding technical issues, problems with your website, or other concerns. It is in your best interest to communicate with your audience.
Vendors: Because your service is more complicated than a simple exchange of information with your clients, you have a higher responsibility (believe it or not) to acknowledge and address found issues. Provide a communication channel for users and non-users alike. Allow them to contact you anonymously if they wish. Do not require that they register, have an account, or log in to your website in order to contact you. And please, when you are alerted to an issue, thank the party in question, publicly acknowledge the issue, and fix it. Do not shoot the messenger; fix the problem.
Once a good-faith attempt has been made to disclose the issue, many of us will then make it public. This is bad for you. Don't get caught with your pants down. If you communicate with those who are trying to help, most will wait until you have fixed the issue to make it public.
We are here to help, but we aren't necessarily here to help you.
When I find these issues, I make an effort to contact the affected parties to disclose the vulnerabilities responsibly. Unfortunately, many vendors and website owners do not supply contact information on their site, or make it needlessly difficult to contact.
Back when I built my first website in the mid-90s, it was common practice to supply a webmaster's email address at the bottom of every page, or on a 'contact' page. I don't know why this practice seems to have died out, but it needs to come back.
Website Owners: Please put an email address or at least a contact form on your website for users to contact you regarding technical issues, problems with your website, or other concerns. It is in your best interest to communicate with your audience.
Vendors: Because your service is more complicated than a simple exchange of information with your clients, you have a higher responsibility (believe it or not) to acknowledge and address found issues. Provide a communication channel for users and non-users alike. Allow them to contact you anonymously if they wish. Do not require that they register, have an account, or log in to your website in order to contact you. And please, when you are alerted to an issue, thank the party in question, publicly acknowledge the issue, and fix it. Do not shoot the messenger; fix the problem.
Once a good-faith attempt has been made to disclose the issue, many of us will then make it public. This is bad for you. Don't get caught with your pants down. If you communicate with those who are trying to help, most will wait until you have fixed the issue to make it public.
We are here to help, but we aren't necessarily here to help you.
Labels: Full Disclosure
posted by mckt at
12:54 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home