i3 | August 03, 2017

Opening Up To Hackers

When we hear the term “hacker,” we often think of some nefarious high-tech evildoer straight out of the movies. But many in the broad hacker community “practice ethics.”

When we hear the term “hacker,” we often think of some nefarious high-tech evildoer straight out of the movies. But many in the broad hacker community “practice ethics.” The researcher who discovers a security problem makes a reasonable effort to notify the manufacturer and gives them time to fix it, before publishing the research. This is called “coordinated disclosure.”

In fact, when you read about a hacked product, it’s often old news. The hacker actually contacted the manufacturer months ago and the fix is being distributed, so the hacker is publishing the research now that it’s safe (or perhaps, safer). In the best-case scenario, the process works as described. Sometimes the manufacturer will pay the researcher a “bug bounty,” based on the severity of the bug.

So how does this process work? Recently CTA took a look at the traffic on the Network Security section of Reddit.com. We looked at all original content in a 48-hour period by the hackers, security engineers and researchers that upload to that site.

We found that more than half of the postings related to product security defects fell into this best-case scenario, with about one company in eight paying a bounty for the help. Bounties vary in size from the cash equivalent of “a nice dinner with the spouse” up to “I’ll go car shopping.”

On the other hand, one-fifth of the postings say nothing of any attempt to contact anyone. This “publish to the world” approach is believed by some to be ethical also. But you can usually tell when a hacker is working for the greater good – for example, they will register the vulnerability with a public database. There are signs that the hacker is on the dark side, too, such as describing how much “fun” this particular exploit is, or encouraging the reader to “get on out there and flog those browsers!”

In between these two extremes is something the industry can and should fix. In about a quarter of the cases, the researcher describes making a good-faith effort to contact the company but failing to find a path to the right department. This is an unfortunate but common occurrence. I’ve been contacted by researchers who had found security problems in a retailer’s house-branded product and wanted to get in touch with the right people at the manufacturer. Because the product was a “white label” device, they had to go through the retailer. No one they contacted at the retailer could help them, and I could not either.

What Can You Do for Your Product?

One quick and inexpensive opportunity is to make it easy for white hat researchers to contact you. Have your IT department set up and monitor an email address for “security,” in the format security@yourdomain.com, and publish this information on your website’s “Contact Us” page. CTA monitors security@CTA.tech, for example. Even better, follow an industry standard such as ISO/IEC 29147 for your disclosure process and have a dedicated page on your site for coordinated disclosure.

By opening up a friendly path to the security community, you can get their help in improving your product and gain some control over when and how the story is presented to the public.

Subscribe to i3 Magazine

i3, the flagship magazine from the Consumer Technology Association (CTA)®, focuses on innovation in technology, policy and business as well as the entrepreneurs, industry leaders and startups that grow the consumer technology industry. Subscriptions to i3 are available free to qualified participants in the consumer electronics industry.