The only way to ensure a vulnerability in an organization’s digital asset is not exploited is by making sure that relevant personnel is made aware of it, as soon as the flaw is discovered. To aid in this process, some forward-looking organizations have a well-defined policy. This practice of encouraging external finders to disclose vulnerabilities in a responsible manner is called Vulnerability Disclosure Policy. .However, more than 90% of the Fortune 2000 companies don’t have a defined modus operandi when it comes to receiving vulnerability information from external finders.
The largest stakeholders in the global quest for secure cyberspace, are security researchers themselves. However, it is they who are mostly misunderstood and feared. There have been instances in recent times where companies have initiated legal action against hackers who reached out to organizations with good intent highlighting vulnerabilities in their system and the result of this mistrust has been breaches of unprecedented magnitude all of which could have been avoided.
Without the guidance of a viable vulnerability disclosure policy, security researchers are often in the dark about how to report potentially dangerous vulnerabilities to organizations. Reporting such vulnerabilities to carry significant risks for security researchers, and many choose not to do so. This has an overall effect of making the Internet more malice-friendly, and less secure. Thus to make reporting of Vulnerabilities easier and to protect the interest of security researchers, in their endeavor to create better and secure cyberspace, Safehats community yellow pages was created, the objective being Convenient and secured reporting for well-meaning security researchers and assistance for responsible disclosure for security researchers and avoiding disclosure of sensitive content over improper channels and preventing zero-day vulnerabilities even for companies without VDP. Safehats Yellow Pages is a community moderated effort to make cyberspace more secure, by creating a platform where security researchers can report any flaw they discover without the fear of repercussions.
Security Researchers can search for programs for organizations in which they discover a bug. They may then use the platform to search for the details of an organization’s reporting method and details of the security team. In case an organization does not have an active VDP the researcher may choose to create a program. Safehats can be used as a reporting medium for any valid bugs discovered. In case a community program has valid bugs submission, Safehats will reach out to the concerned organization and make them aware of the vulnerabilities in their product and try to ensure safe harbor and rewards for Security Researchers as long as intentions are not malicious contributions to the pool of enterprises and moderations are made by the security researchers themselves
How does it work?
- A well meaning security researcher discovers a vulnerability
- He/she Searches for the organization in the list of community yellow page directory. If the program exits the hacker can directly report the issue there. In case the program does not exist the hacker can create a new program on behalf of the company and reports the vulnerability there.
- A moderator from the community checks the validity of the issue and assigns it a priority.
- In case of a valid issue Safehats team tries to reach out to the concerned organization and makes them aware of their vulnerabilities and tries to ensure that the respective hacker is rewarded.
Organizations can themselves claim their community pages as their own, and publish update their responsible disclosure policy, and contact information, to help hackers find them.
Click here to know more about VDP and problems associated with VDP.