Responsible Disclosure Policy, planting the seeds, reaping the benefitsFrank Breedijk
So first of all the major question: is responsible disclosure working for us?
Yes it is! Our responsible disclosure program has directed a lot of eyes to towards our infrastructures which spotted a lot of tiny details we would have otherwise missed. While we regularly scan our own infrastructure using automated tools, there are things a human will spot, but a scanner will miss. Having more eyes on the infrastructure means these irregularities are spotted too.
So it there no down-side ? Obviously there is, each and every report needs to be investigated handled with proper care, especially since the people reporting issues to us are doing this out of their own free will. Also some of the reports are not as clear as you would get them from a professional tester and sometime dead wrong, hence the need for further investigation. We also found out that shipping t-shirts and other swag worldwide is not always as easy as you may think.
Overall we did become more secure and definitely caught vulnerabilities that would have otherwise slipped through the net.
We would like to pass a special thanks to Bug Crowd for maintaining a list of bug bounty programs, being on this list really promoted our program.
So now for the list of results and credits
- Cross Site Scripting vulnerability (XSS) in www.schubergphilis.com discovered by an anonymous researcher rewarded with a t-shirt
- XSS in www.schubergphilis.com discovered by an anonymous researcher rewarded with a t-shirt
- XSS in photo.schubergphilis.com discovered by Florindarck of Romanian Security Team rewarded with a t-shirt
- Clickjacking vulnerability on SSL VPN device discovered by Surya Kumar rewarded with a t-shirt
- XSS in www.schubergphilis.com via flash discovered by Darius Petrescu and (akkiliON) rewarded with a t-shirt
- Information disclosure via error page discovered by Atul Shedage rewarded with a € 100,- donation to Room to Read
- Insecure SSL renegotiation on SSL VPN and missing cross domain policy on photos.schubergphilis.com discovered by Harsha Vardhan Bappana
- Clickjacking vulnerability in photo.schubergphilis.com discovered by Tushar Kumbhare of Defencely rewared with a € 100,- donation to Room to Read
- XSS in www.schubergphilis.com discovered by SimranJeet Singh rewarded with a t-shirt
- Clickjacking vulnerability in news.schubergphilis.com discovered by Javid Hussain rewarded with t-shirt
- Clickjacking vulnerability in news.schubergphilis.com discovered by Jigar Thakkar of Infobit rewarded with a t-shirt
- Content spoofing in xxx.schubergphilis.com discovered by Jay Turla rewarded with a t-shirt
- XSS on www.schubergphilis.com discovered by Olivier Beg rewarded with a t-shirt