Responsible Disclosure Policy, planting the seeds, reaping the benefits

"Bounty" Hunter - A CC NC SA image by Pedro Vezini
In December last year we first published our responsible disclosure policy, modeled after the work of Floor Terra and by now it is time to give an overview of our experiences and give some overdue credit.

So first of all the major question: is responsible disclosure working for us?

Yes it is! Our responsible disclosure program has directed a lot of eyes to towards our infrastructures which spotted a lot of tiny details we would have otherwise missed. While we regularly scan our own infrastructure using automated tools, there are things a human will spot, but a scanner will miss. Having more eyes on the infrastructure means these irregularities are spotted too.

So it there no down-side ? Obviously there is, each and every report needs to be investigated handled with proper care, especially since the people reporting issues to us are doing this out of their own free will. Also some of the reports are not as clear as you would get them from a professional tester and sometime dead wrong, hence the need for further investigation. We also found out that shipping t-shirts and other swag worldwide is not always as easy as you may think.

Overall we did become more secure and definitely caught vulnerabilities that would have otherwise slipped through the net.

We would like to pass a special thanks to Bug Crowd for maintaining a list of bug bounty programs, being on this list really promoted our program.

So now for the list of results and credits

May 2013
  • Cross Site Scripting vulnerability (XSS) in www.schubergphilis.com discovered by an anonymous researcher rewarded with a t-shirt
  • XSS in www.schubergphilis.com discovered by an anonymous researcher rewarded with a t-shirt

June 2013
  • XSS in photo.schubergphilis.com discovered by Florindarck of Romanian Security Team rewarded with a t-shirt

July 2013
  • Clickjacking vulnerability on SSL VPN device discovered by Surya Kumar rewarded with a t-shirt
  • XSS in www.schubergphilis.com via flash discovered by Darius Petrescu and (akkiliON) rewarded with a t-shirt
  • Information disclosure via error page discovered by Atul Shedage rewarded with a € 100,- donation to Room to Read
  • Insecure SSL renegotiation on SSL VPN and missing cross domain policy on photos.schubergphilis.com discovered by Harsha Vardhan Bappana
  • Clickjacking vulnerability in photo.schubergphilis.com discovered by Tushar Kumbhare of Defencely rewared with a € 100,- donation to Room to Read
  • XSS in www.schubergphilis.com discovered by SimranJeet Singh rewarded with a t-shirt
  • Clickjacking vulnerability in news.schubergphilis.com discovered by Javid Hussain rewarded with t-shirt
  • Clickjacking vulnerability in news.schubergphilis.com discovered by Jigar Thakkar of Infobit rewarded with a t-shirt
  • Content spoofing in xxx.schubergphilis.com discovered by Jay Turla rewarded with a t-shirt
  • XSS on www.schubergphilis.com discovered by Olivier Beg rewarded with a t-shirt
 

6 Comments

Floor Terra
It's great to see you giving public credits to the researchers! You are an example for other companies!
caseyjohnellis
Thanks for the mention! Your most welcome re us including you on the list... Glad it has been helpful!

@caseyjohnellis - CEO, Bugcrowd
Arbaz
Yes Love it !
Arbaz
Yes Love it !
Arbaz
lol Yes !
arbaz
asfsagsagsag

Not Published

0/1000 characters
Go Top