If you run a company that does anything online, at some point you will probably need to talk with an independent privacy or security researcher. Here are some suggestions to make the experience better:
- Welcome the call. In general, independent researchers are calling because they care, and because they want to help. When an independent researcher calls, you are effectively getting free consulting. Consider yourself lucky.
- Be wary of demands for money or payment in exchange for information. Ideally, your company will be in good standing with a bug bounty program, but that is a separate issue and process from direct outreach. If someone contacts you directly and asks for money in exchange for information, that’s a bad sign.
- If a privacy or security researcher offers to email you a report of their findings, accept that offer. It’s free information. If and when a company refuses that offer, it’s a sign that they are more concerned about potential public relations and plausible deniability than they are about fixing an actual problem.
- Remember: people who are going out of their way to report a privacy or security issue to a company have no reason to trust you. Related: people who are going out of their way to report a privacy or security issue to a company have other things we would rather be doing with our time. The only reason we are making a call to you is because we have found an issue with your service that needs to be fixed. Most moderately experienced privacy and security researchers have multiple horror stories of companies who are dismissive, rude, irresponsible, dishonest, or careless. If you are going to distinguish yourself as different, it will take some effort on your part.
- When a privacy or security researcher calls, don’t be dismissive, rude, irresponsible, dishonest, or careless.
- Following up with a privacy or security researcher and letting them know that you have acted on their information is good practice, a sign that you are trustworthy, and professional courtesy. Refusing to follow up will be interpreted as a sign of bad faith.
- When a privacy or security researcher contacts you with findings, their findings remain their work, and they are free to discuss them publicly within reasonable ethical and legal guidelines. Criminal entities are fully aware of the range of options at their disposal, and silence only benefits the criminal. In most cases, a disclosure window of between 15 and 90 days (depending on severity, complexity, etc) is fair.
- Make sure your site has a security.txt file. Really, this is just something you need to have in place at all times, but it should be easy for researchers to get a competent and informed contact for privacy and security issues.
Making and receiving privacy/security reports gets tricky fast. Speaking for myself, I report privacy and security issues when I see a problem that has the potential to cause harm to people. It’s never fun, and issues need to hit a certain threshold to be considered reportable.
If you are at a company and you receive a privacy or security report, take it seriously, and be aware: your response is part of the picture that shows how much or how little you respect the people impacted by your service.