SoylentNews

A Quarter of Ethical Hackers Couldn't Report A Cybersecurity Concern

posted by Fnord666 on Thursday January 18 2018, @07:07PM   
from the la-la-la-can't-hear-you dept.

MrPlow writes:

[Update: Corrected title per first comment. Also, should you find any kind of vulnerability with SoylentNews, please send a description to "dev" at "soylentnews.org" and we'll address it as soon as possible. --martyb]

Submitted via IRC for AndyTheAbsurd

Almost a quarter of hackers have not reported a vulnerability that they found because the company didn't have a channel to disclose it, according to a survey of the ethical hacking community.

With 1,698 respondents, the 2018 Hacker Report, conducted by the cybersecurity platform HackerOne, is the largest documented survey ever conducted of the ethical hacking community.

In the survey, HackerOne reports that nearly 1 in 4 hackers have not reported a vulnerability because the company in question lacks a vulnerability disclosure policy (VDP) or a formal method for receiving vulnerability submissions from the outside world.

Without a VDP, ethical, white-hat hackers are forced to go through other channels like social media or emailing personnel in the company, but, as the survey states, they are "frequently ignored or misunderstood".

But that means that three-quarters DO, which I guess is good news. Or at least not bad news.

Source: http://factor-tech.com/connected-world/27830-a-quarter-of-ethical-hackers-dont-report-cybersecurity-concerns-because-its-not-clear-who-they-should-be-reporting-them-to/

---

Original Submission

• Shoot The Messenger Shoot The Messenger (Score: 3, Interesting) by DannyB on Thursday January 18 2018, @07:49PM (3 children)

  by DannyB (5839) on Thursday January 18 2018, @07:49PM (#624326) Journal

  Why should this be surprising when the parties guilty of having the vulnerability instantly take a "Shoot The Messenger" mentality.

  For example AT&T or Apple had a problem that by changing a GET parameter, visible in the URL,
  some type of, for example: &id=53782
  to a different number, you can access a different customer or something you were not intended to see.

  Try reporting that? Get called a hacker! They call the FBI.

  No good deed goes unpunished.

  So it is any wonder why ethical hackers aren't going to report vulnerabilities?

  --
  To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.

  Starting Score:	1		point
  Moderation		+1
  Interesting=1, Total=1
  Extra 'Interesting' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3

• Re:Shoot The Messenger (Score: 0) by Anonymous Coward on Thursday January 18 2018, @08:07PM

  by Anonymous Coward on Thursday January 18 2018, @08:07PM (#624337)

  yes, it goes a little beyond "don't have formal reporting blah, blah". try "asshat windows users leave their front door wide open blowing in the wind and when you peak your head in to tell them their door is flapping about, they rat you out to some nearly equally stupid bastards for breaking in." screw these companies. they deserve to be attacked until they go out of business.

  Parent

• Re:Shoot The Messenger Re:Shoot The Messenger (Score: 2) by Grishnakh on Thursday January 18 2018, @09:17PM (1 child)

  by Grishnakh (2831) on Thursday January 18 2018, @09:17PM (#624402)

  When ethical hackers are treated like that, I really have to wonder why there's any "ethical hackers" still left.

  Parent

  • Re:Shoot The Messenger (Score: 0) by Anonymous Coward on Friday January 19 2018, @12:36AM

    by Anonymous Coward on Friday January 19 2018, @12:36AM (#624494)

    Some people just like being ethical.

    Parent