Bug Report: call to action!

Bug Report: call to action!

bugreport.pngMonday 06 January 2020

Have you been there? All you really want to do, is to get your own actions and projects done before the end of the year. That's quite enough!

But the team always has some good ideas that must be picked up too ..... And then a message drops into your mailbox that you almost click away, probably spam! But, you cannot ignore this message: it is a Bug Report. Oh no! You know this cannot be ignored. You’ll have to initiate the relevant procedure, with the inevitable follow-ups and communication to the reporter. Even more important than the actions that are still on the to do list!

In December we at CIO Platform Nederland received such a bug report from Asif aka "Ultimate Haxor", a hacker. It was a comprehensive message about a vulnerability he had found and which made our website vulnerable to clickjacking. In the e-mail the "Ultimate Haxor", unknown to us, had clearly written a description and PoC and also offered two solutions to deal with this vulnerability.

In accordance with our policy, we reported the incident with our hosting provider and asked them to verify the report and, if necessary, resolve it. The report turned out to be correct. Fortunately, the fix was quite easy. Within 2 days we were able to thank the reporter and let him know that the vulnerability had been fixed. He came back with the question what the reward was for this report.

At CIO Platform Nederland, our policy is not to provide financial incentives for such Responsible Disclosure / Coordinated Vulnerability Disclosure notifications. Instead, we offered to share this experience with our members and of course say a word of thanks to Asif "Ultimate Haxor". Hereby!

Based on the principle of Sharing is Caring, we are also curious about your experience with such kind of bug reports. How current is your Coordinated vulnerability disclosure policy? How many of these notifications do you receive and does the procedure work? What if a bug cannot be solved (quickly), how does the reporter react to this message? How do you involve the reporter and how are communications with reporters handled?

At the bureau of CIO Platform Nederland we are vigilant!

« Back

More news

CIOTV #75 What about the maturity of digital transformations? With Martijn Koning and Arthur Govaert

ciotv 75 martijn en arthurMonday 04 July 2022 In this special seventy-fifth episode of CIOTV, current chairman Martijn Koning (Chief Digital & Sustainability Officer AutoBinck Group) and former chairman Arthur Govaert (VP Innovation Program ... full story

Fair Principle 3: Customers shall remain in control of their own data and all the data uploaded or processed by the service/solution.

Fair Principle 3Thursday 30 June 2022 Business users associations Beltug, Voice, Cigref and CIO Platform Nederland call for a balanced cloud market: 11 fair principles to unleash Europe’s digital potential. Fair principle 3 calls for customers to remain in control of their own data and all the data uploaded or processed by the service/solution. full story

Fair Principle 2: Vendors must not create a technical or commercial lock-in

Fair Principles 2Thursday 23 June 2022 Business users associations Beltug, Voice, Cigref and CIO Platform Nederland call for a balanced cloud market: 11 fair principles to unleash Europe’s digital potential. Fair principle 2 calls for every vendor to avoid creating a technical or commercial lock-in. full story

Urgent call to European Commission regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS)

2021-05-18 Terugkoppeling gesprek met Europese Commissie over digitale technologiebeleid.pngWednesday 22 June 2022 CIO Platform Nederland calls on the European Commission not to adopt the EUCS until the consequences for business users in industry and government in Europe have been thoroughly investigated, a consultation of stakeholders has taken place and the responsible political bodies have weighed up the digital autonomy, costs and benefits of a decision. full story

View all news items through the archive

Close