The Netherlands Government has issued guidelines for “Ethical hackers” who discover vulnerabilities for reporting the vulnerabilities.
According to the guidelines a person who discovers the vulnerability should report it directly to the owner of the system in a confidential manner.
It is not however clear what action needs to be taken by the Ethical hacker if the owner does not respond. If there is public interest involved is it right for the ethical hacker to remain silent and let the vulnerability continue?
It is essential for organizations who receive such communications to acknowledge the report and promise a time line within which a correction is made and the ethical hacker is informed about the correction in the same channel in which the vulnerability report was received.
If there is no response from the owner, there should be an escalation to a regulatory agency such as the CERT or an industry specific authority where a designated person should be available to receive such reports and respond.
If after a reasonable time, no response is received from the owner and the regulatory agency, the ethical hacker should be permitted or rather obligated to release the information on vulnerability to the public if possible through accredited security portals/agencies.
It may be recalled that Naavi.org had during the last year discussed this issue in the case of vulnerabilities exposed by a security professional Mr Yash in the Indian Banking system. In this case, the Banks refused to act and instead of setting their system right, took steps to forcibly shut out reports about the vulnerabilities. CERT In refused to take cognizance and RBI preferred to remain silent on the issue. As a result the vulnerabilities continue to exist and Bank customers continue to bear the risks for the commercial benefit of the Banks.
This is one live example of how things are handled in India. Perhaps this Netherlands Guideline will open the eyes of the Indian authorities if they have eyes that can see.
Naavi