In large production environments it's almost impossible to avoid bugs - and some of them are going to be nasty. What sets great and security conscious companies apart from the rest is how they deal with them.
This is an examplary response from google. They respond promptly (with humor no less) and thank the guys that found the bug. Then they proceeded to pay out a bounty of $10.000.
I am really glad about how they responded. Whenever Tinfoil has found vulnerabilities in companies like United Airlines[0], for example, those companies mostly respond with anger rather than graciousness.
Exactly. I just saw that the local bank my parents use is still vulnerable to the Heartbleed Bug. But you know what? I don't want to go down there and talk to them because I'm quite certain they'll call the police because I "hacked into their systems".
There should be a security equivalent to hiring a lawyer to write strongly-worded letters for you.
Maybe someone could set up a firm where individuals could hand them a vuln report, and then the firm would contact the vulnerable company on the individual's behalf. The firm would do the long, boring dance of "we suspect you're vulnerable to X, though we haven't tested it, but we'd like to do a free vulnerability test on you, so please sign this liability waiver", both protecting the individual from liability, and taking time the individual doesn't have. In return, if the company gives rewards, the firm could take a percentage.
So you pay money to hire somebody to send a company a letter informing the company of the companies problem in hopes that maybe, just maybe, the company will reward the the firm a small sum of money and you will get a small amount back.
I might be living in a country with very few banks (3). I may benefit from letting them know about a security issue, especially if because of that issue I could potentially go to jail
I may not have the option of changing bank because the others are even worse.
however I don't know how much I would pay for that. Probably some kind of class action would work.
That's besides the point. It still costs money, and the company that's vulnerable is not the one paying it. A service like this would be time consuming (bogus reports, etc), and the EFF would still have to use money from donations to finance this.
The only thing I can think about is some security firm doing this, using the exposure as a marketing tool and establish them as an authority on the subject.
> I just saw that the local bank my parents use is still vulnerable to the Heartbleed Bug.
Just remember, many sites use the old certificate expiration even though they generated new certificates which shows up as a false positive on the checking tools.
If you are a bank, and you haven't fix one of the worst and widest reaching security holes in years by now.. well. Criminal negligence would be an appropriate description.
While I know plenty of companies do not respond how I feel they should to vulnerabilities, reading that story I don't see any cited anger from United Airlines.
You're right; the anger was mostly behind the scenes. It turns out it's also /incredibly/ hard to disclose a vulnerability to most companies. Companies like Google or that have bug bounty / disclosure programs are to be lauded. :)
Hmm a pretty cheap road trip for just ten dollars, and I'm also not sure why they thought it necessary to include an extra significant figure for cents.
This is an examplary response from google. They respond promptly (with humor no less) and thank the guys that found the bug. Then they proceeded to pay out a bounty of $10.000.
Well done google.