When we say we inform someone of malware hosted on their network, or of an inadvertently exposed server or sensitive information we don't just send an e-mail "THIS SHIT IS OUT THERE. MIGHT WANNA FIX THAT." And call it a day.
Our process for responsible disclosure is usually:
"We are a group of concerned security researchers called WeAreTheArtillery. Our mission is to find systems on the internet serving malware, inadvertently exposed services and/or inadvertently exposed sensitive information. We are here to inform you regarding the follow systems:"We usually input IP addresses, hostnames, WHOIS information, screenshots, etc.
"We found X problem with Y IP address. We discovered X by doing Z. X is a problem for these reasons. Here is a list of potential solutions or remediations for X problem."
We always try to offer more than one solution for a given problem that we have found. We do not want organizations we contact to feel like FIX IT OR DO NOT FIX IT. THE CHOICE IS YOURS. We also understand that larger organizations have change control and change management procedures to go through. We are willing and available maintain constant contact and full confidentiality until the problem can be properly resolved. Here's where we differentiate:
"If you need any assistance in resolving X problem or need further expertise, please feel free to reach out to us and we can guide you through resolving X."
Let me make this abundantly clear. We aren't here to point out your flaws and laugh at you. That isn't how you get shit done, that isn't how problems get resolved. We want to be a trusted partner that security researchers can disclose to and ensure the problem is fixed. We want to be a trusted organization that can partner with private companies and LEO as required. If our goals were not clear initially, I sincerely hope that this clarifies our mission.
Those "wins" that I mentioned moments ago? We worked directly with security and NOC contacts at said organizations and directly with the FBI to achieve our goals and offered ourselves as steadfast professionals willing to assist, and we will continue to do so.
No comments:
Post a Comment