I refer to the earlier post where the Disclosure guidelines for Ethical Hackers suggested by the Government of Netherlands when they observe vulnerabilities. (The original Dutch version guideline is available here:: English Version)
One of the suggestions made there in is that the ethical hacker who observes a vulnerability should first report to the owner of the facility and given them an option to plug the vulnerability.
Users are however required to adhere to the framework mentioned in the guideline according to which they shall refrain from altering the system and not repeatedly access the system. They should also avoid Using brute-force techniques to access a system. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization.
The guidelines however are silent on what action the ethical hacker has to take if the owner of the system remains silent. There is however a mention that “The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said.”
The National Cyber Security Center also states that it would be willing to act as an intermediary to inform the owner of the vulnerable system if the vulnerability is brought to their notice.
Though the security professional who has found the vulnerability acts in good faith and notifies the owner of the system, it is possible that the owner may not respond and later on raise an objection that he was never informed. In such situation it will be necessary for the ethical hacker to create suitable evidence in his favour to prove that he actually had served the necessary notice.
CEAC (Naavi’s Cyber evidence Archival Service, details of which are available at (www.ceac.in) provides a service on payment for delivery of “Certified E Mails”, This service in the Indian context is structured so as to meet the requirements of “Admissible Evidence” under Section 65B of Indian Evidence Act. Presently this is a paid service.
However, in the interest of promoting “Security” and to offer support to Ethical Hackers who in good faith would like to deliver notices as per the said Netherlands guidelines or in a similar “good practice”, CEAC will offer to deliver such notices free of charge.
A similar facility was offered to Mr Yash, an Indian security professional who published the Banking vulnerability where a demo of the vulnerability was sent to necessary authorities. (Though no action came forth from them).
We hope that security professionals use this facility to create a third party evidence to protect themselves from liabilities.
CEAC however restricts its activity to forwarding the communication as received from the ethical hacker to a designated e-mail address and does not take any responsibility for the correctness of the report or for the fact that the ethical hacker had followed the necessary guideline etc. Interested persons may get the details from Naavi.
Naavi