Bug Report: call to action!

But the team always has some good ideas that must be picked up too ..... And then a message drops into your mailbox that you almost click away, probably spam! But, you cannot ignore this message: it is a Bug Report. Oh no! You know this cannot be ignored. You’ll have to initiate the relevant procedure, with the inevitable follow-ups and communication to the reporter. Even more important than the actions that are still on the to do list!

In December we at CIO Platform Nederland received such a bug report from Asif aka "Ultimate Haxor", a hacker. It was a comprehensive message about a vulnerability he had found and which made our website vulnerable to clickjacking. In the e-mail the "Ultimate Haxor", unknown to us, had clearly written a description and PoC and also offered two solutions to deal with this vulnerability.

In accordance with our policy, we reported the incident with our hosting provider and asked them to verify the report and, if necessary, resolve it. The report turned out to be correct. Fortunately, the fix was quite easy. Within 2 days we were able to thank the reporter and let him know that the vulnerability had been fixed. He came back with the question what the reward was for this report.

At CIO Platform Nederland, our policy is not to provide financial incentives for such Responsible Disclosure / Coordinated Vulnerability Disclosure notifications. Instead, we offered to share this experience with our members and of course say a word of thanks to Asif "Ultimate Haxor". Hereby!

Based on the principle of Sharing is Caring, we are also curious about your experience with such kind of bug reports. How current is your Coordinated vulnerability disclosure policy? How many of these notifications do you receive and does the procedure work? What if a bug cannot be solved (quickly), how does the reporter react to this message? How do you involve the reporter and how are communications with reporters handled?

At the bureau of CIO Platform Nederland we are vigilant!