Why I Don’t Report Security Vulnerabilities to Website Owners without permission?
Let’s say you live in a neighbourhood known for cases of burglary and one day as you are minding your business on your way home you see on one of the houses with a door unlocked and the guys asleep, what action would you take?. There are two options, you might choose to notify the house owner about the vulnerable door or you just ignore the whole issue and walk away as if you have seen nothing. This happens every day on the internet, I discover countless websites with serious security vulnerabilities, like the neighbourhood example I always choose to act as if I haven’t seen anything (the best option). Here are the reasons I choose NOT to tell the owners of the site.
- No one likes the bearer of bad news – not the website owner, not the vendor who sold the software, not the consultant who coded the website. They have lawyers; their interest is in making money, not necessarily in creating secure software. Keep this in mind. If they can find a cause for libel, they will. If they can deflect blame they will.
- Why would you expose yourself to potential legal problems, especially considering that you aren’t getting paid for your efforts?
- If they were truly concerned about security, they would have hired an audit firm.
- Getting hacked is perhaps the best teaching experience regarding security. Let another hacker expose their vulnerability in a way they can’t deny. Then they will take security seriously.
- Do the security industry a favour: why would anyone hire a security specialist when good Samaritans on the internet(aka white hats) will audit their website for free?
- No one has ever been brought to trial or sued for failure to disclose a security vulnerability. You stand nothing to lose by quietly taking your business elsewhere; let the company figure out that the public wants secure web sites.
Naturally, you might feel a sense of duty to help someone out – if they have an exposed security flaw, we naturally want to help them. But first consider how it will be received. Most companies would rather produce software with publicly unknown flaws than to produce perfect software, websites, etc… at a much higher cost.