Slashdot Mirror
Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues?
An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.
How about just saying, "Thank you!" to them?
You could also give them money.
And pass them along to 40 other marketers, so that user can have first crack at any number of special, once-in-a-lifetime offers.
A bit ironic, but I'm sure it would be appreciated!
Mimetics Inc. Twitter
I mean this literally... other than user thankers, who cares? Every decade or two, when it's time to thank a user, I go to the user cubicles, and I thank someone who is in their cubicle, within earshot of my voice. I couldn't care if it was security-related, fridge-courtesy-related, or FairyDust-related. A user is a user is a user.
If they go to the trouble to document and report bugs, you need to fix them quickly. This isn't limited to security bugs -- any kind of bug deserves attention. That's more thanks than they get from most vendors. Nothing will make me quit a vendor more quickly than being ignored when I make substantial, documented bug reports.
If I were you, I would focus more on preventing the users from being able to run those attachments. You can filter them out on the email server and implement a method for users to manually request the retrieval of suspicious attachments, after you've verified them of course. Same for your proxy server (you will need to do some certificate trickery for https), and ultimately you should consider white-listing execution on clients altogether.
I have set up filter to strip all documents with OLE embedded content at my company, and if a user has a legitimate need to access a document with macros and such, then I need to eyeball it first.
That said, of course you should praise users for doing the right thing. It's rare (hence prevention is better than cure).
I've heard many cases of somebody reporting a security issue, then getting fired, sued, or arrested as a result. In the case of kids in school, suspended or expelled.
They were HONEST here! They found a security problem and rather than exploit it for personal gain, they reported it, and then get in TROUBLE for it??
It's absurd. It means when people hear of this and find security problems in the future, they'll keep quiet about them because they don't want to get in trouble too.
If you demonstrate that you take the report seriously. So just showing a good followup of the report, with progress and fixes.
That means having the resources since without resources nobody'll be happy.
I've been reporting security issues in local businesses that I deal with. One is an ISP that stores and emails users passwords in plain text. Another is a bank exposing credit card numbers in plain text. When I report this shit, I expect actual follow through in fixing them. In the former case, the ISP literally gave me a "not our problem" response, while the bank said they'd contact me back and never did (still need to check to see if this issue has at least been resolved though).
Benjamin's are always welcome.
To every congressman in the country, asking them to repel the CFAA or at least heavily reform it, while also making a huge PR stunt about it.
Isn't litigation the best thank you?
Fix the problem, promptly.
The heat from below can burn your eyes out
Official corporate policy.
The only good hacker is a dead hacker.
Hack directly to their screen and display, "Thanks for reporting the security issue. -Anonymous Coward"
Table-ized A.I.
Best is monetary reward
Fame can also be good, but you might not have much to grant them
Destroying their career for it makes you a villain
And having them arrested over it is the kind of thing that should get your family hung with you.
Try to go for money, or at least recognition and a nice gold star.
My boss would give me a stack of "Free Lunch" cards good at the company cafeteria. I could hand these out to IT workers when they provided exceptional service and users when they provided help that we needed. A small reward of food provided incentive way beyond it's dollar value.
send them a 500 dollar gift card
Politics is Treachery, Religion is Brainwashing
Want to know when somebody finds a XSS vuln in your timesheet app? Give 'em a starbucks gift card. Or a $20 pre-paid gift debit card they can use anywhere.
Sure, employees will try to game the system at first, and you'll find loopholes in your "rules" of the game. But the end result is net positive:
1) Your employees are *paid* and *happy* to notify the company of vulnerabilities, and
2) You. Fucking. Fix. Vulnerabilities.
Seriously, it's a net win for both the company and the employees. Just do it.
da w00t. mtfnpy?
That will really test their security consciousness and awareness skills! Take it to the next level!
Lawsuit. At least that seems to be industry best practice...
That is all.
This is what all Phishing companies tell their clients to do. Create a reporting methodology as well as an incentive system for those reports. Unfortunately those phishing companies sell boring Computer Based Training with their services. Some claim they are not lame or boring, they are. Internal phishing give the user a custom page that says "hey you would of got got if this were a real phish". and that is supposed to deter the users. They are supposed to be alarmed by the notice, I know for a fact they are not. If they are, it only works once. Which may be good, maybe they will report from then on out, but they don't. We get at 1% report rate, and we have a aggressive reporting stance. While we only get a few to report, many many more delete the emails out-right when they suspect them. Which is kinda good too, but it's not what we've asked them to do, it's what they have learned from other companies they were with prior.
To answer your question, sending them a TY the first 1-3 times they report, and after that, CC the reporter, and the next time tell their manager/boss that the user is persistent and is doing a great job consistantly reporting possible phishing issues.
The only problem is, they will report every spam email after that...
We'd just toss them in jail...
"Eve of Destruction", it's not just for old hippies anymore...
For employees, your organization may already have a corporate-level recognition program - Use that...Ask HR for details
The best way to reward users is to give them an award that is publicly visible, to encourage others to do the same.
Anecdote: I worked at an organization that, like many others, had a public "share drive." Sometimes I would browse the folders with pictures of coworkers at after-hours events. One time, I decided to see what was on the drive, and I found an Excel spreadsheet with a list of names, last 4 digits of social security numbers, and credit cards. Excel keeps the author's name in the file, so I contacted the author. They replied with "Oh, that file is a temporary file and it gets deleted every 30 days, so don't worry about it." I forwarded the email to the company's head of security, expecting no reply. A month later I was invited to a conference room for something random, and much too my surprise, I was presented with an award in front of 20 or so people in my department. My boss told me it was handed down to him by the head of corporate security, along with an explanation of what I had done. I was in genuinely proud. Because of that event, I was more engaged with the company, and I have taken that security mindset with me. I can only hope that other employees took it to heart as well.
I know the summary is about users reporting internal security concerns. However on a broader note, we need an industry standard fo reporting security issues. Every other day there's some story about an organization that ignored a report, or sued the researcher, or something. We need a standards body to:
1. Create a standard form for submitting vulnerabilities (especially to 3rd-parties.)
2. A standard way to deliver that form.
3. A standard amount of time to wait for a response before disclosing it.
4. A standard form to disclose it publicly, and a list of appropriate organizations to receive it.
5. An industry-accepted expectation that, if you follow these industry standard steps, then you should be safe from lawsuits.
Best way to report security issues and problems? Are you daft?
1. They don't want to be bothered
2. They want to "look good" as cheaply as possibly
3. No liability
Is it worth the expansion? Here on Slashdot? I must be daft, but I'll say a bit more:
As regards #1 and many years of attempting to report problems, I can assure you that they [various organizations who, in theory, might be responsible for protecting your security as customers and users] are NOT grateful. These days the trend has become pigeonholing incoming reports to conveniently shaped holes, and it must be the fault of the black-hat hackers and scammers that they keep violating the RULES and keep failing to fit in the proper holes!
As regards #2 the main goal is to do as little as possible while claiming as much credit as possible. Control the costs and regard it as a marketing issue, but (just in case you haven't noticed) the marketing people don't know much and care even less about security.
As regards #3, I think the primary blame goes to Microsoft. They didn't invent liability evasion, but I think they perfected it with the EULA and related licenses. If the companies selling you software had any real liability for bugs (and especially for contagiously and outrageously harmful security flaws), then you can be assured they would stop selling so much pretty garbage.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Litterally, just fix them ASAP.
Change is certain; progress is not obligatory.
Send them a threatening letter from your legal team, along with a DMCA takedown notice.
My workplace has many security "features". I am a long time IT worker above level III.
From cold boot to being productive takes longer than 10 minutes due to the security feature of being able to use the 2FA token exactly once, then having to wait for the next one (90 seconds on average). This is really a "nice" feature when your infrastructure is completely down and you have C level execs screaming to get it back up. (Yes, it's load balanced and it has HA pairs all over the joint, but while rare, the whole thing can pack it in sometimes. Budget constraints.)
If your users are taking a "fuck it" attitude, that can at times be put down to them. Other times, put it down to security for the sake of security and becoming an obstacle, rather than meaningful procedure.
As for thanking a user, I find a simple "Wow. Holy cow. Thanks, we need to fix that!" and keeping them in the loop if they want is best.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Your attitude clearly demonstrates you care about the end users in your network. As a former corporate peon, this is refreshing.
A bit ironic, but I'm sure it would be appreciated!
More likely you will be hauled down to HR and booked on a sexual harassment charge... But, for some, keeping HR busy with trivial issues could be a good thing, might keep them from looking too hard at local competitive salaries or from having the time to find cheaper insurance for everybody....
SUE!
CASH!
IS!
KING!
AND!
DEAD!
You are watching our backs, and these users really appreciate it and trust you. A simple thank you card, "hey thanks!" phone call or visit to give your appreciation are all it takes.
Let them keep their job.
Every bug ticket is a chance to cover your beehind and find an ally...just quickly fix it and figure out how to incorporate into the best practices list.
Send a seize and desist, don't fix it, then sue if it becomes public.
I've given many "thank you" / "congratulations on your ___ accomplishment" to coworkers over the years. Buy some beer or wine, somewhere between $10-$20 in value, hand it to them in person. I've never had anybody turn it down. Bonus points if you can find out ahead of time what type of beer/wine they like - either via coworkers or asking directly.
Only had one case in my career where the person did not consume alcohol - knew about it already and got them an assortment of specialty food items instead I knew they liked.
By prosecuting them to the fullest extent of the law?
Teach them to never, ever do it again.
A coupon for an espresso and a blowjob in Switzerland.(and the flight perhaps)
http://www.eater.com/2016/6/24...
Just put them straight in jail for making you look stupid
This is one of the few useful answers posted.
Your idea of HR is woefully outdated. The modern HR team is responsible for ensuring that the appropriate number of transgender washrooms are built and that safe spaces are available for all millennials in the organization.
The company should sue the pants off of those hackers who are ransoming their crown jewels!
I think the best way to thank users for finding bugs is to send them a DMCA takedown notice and threaten them with legal action. This has been working well since the DMCA was implemented, I mean why stop the practice now?
Sue the bastards out of existence. That should teach them.
Go ahead. It's the American way. And make them pay for it.
I send those out to my people that can't get anything done, run a macro to look like they're working so I can get credit for it. They get a great resume, I keep my bonus.
I was watching a story awhile back where someone pointed out to the bank that they didn't put a password on their website, so they arrested him.
... was to send out an email to firm@..... that actually did hit all members of the firm, including the partners, to brag on a person who asked me if, "the UPS link," was OK or not.That way, I got a chance to:
Make a coworker (fuck the "user" mentality) feel good ..." crap
Make a coworker look good to peers and management
Lecture the entire work universe about security (again, and again, and again)
Head off the, "Well, no one ever told me
I was a broken record, and sometimes a person would screw up (I kept that between the two of us) but it was about the best I could come up with.
It little behooves the best of us to comment on the rest of us.
The small amount we spend on thanks was more than repaid by the savings created by a community of alert, careful internet skeptics.
What we do is send a letter to their commander commending them (the commander) and the person who identified the problem. Commanders love getting their egos stroked, and love handing out letters in big meetings. Like full formal ceremony bullshit, major blah blah blahs, private walks up to the front, gets presented the letter just the same as a medal, shake hands, pose for a photo, salute. It's fucking hilarious, but they eat this shit up.
Currently the way to thank users who report security issues is: "Fuck off!"
Slashdot, fix the reply notifications... You won't get away with it...
What's wrong with the way it is now?
The people that file tickets to ask if they should open an email are the moronic idiots that have already made stupid choices.
Thank everyone else.
Everybody's so creative. I hear all kinds rewards. Sueing them. Prison time. Firing them. What a creativity!
I miss one option: the pleasurable experience of torture. Instead of filtering spam, forward all spam recieved by the company to his email address and have him answer them all by hand. This would serve to motivate him to find additional security flaws.
1) Send email thanking for the report, and solicit them to visit a site for getting more info.
2) When they browse the site grab at once user's IP address.
3) Exploit the vulnerability they reported by hacking into their system.
4) Delete everything you can.
Your software is perfect
If your company does not aid you with an official reward system, create your own within the limits of your ability.
I was working in risk management and security assessment a while ago. Basically our job was to find security problems and decide whether we can carry the risk if we find one or whether a service has to go. As you can imagine, that does give you a bit of a wiggle room concerning the severeness of a problem. And we soon made it a public secret that reporting a problem you find in your own system yourself gives you usually a way lower assessment than one that was found by someone else, and if we find out you tried to cover it up, we would make CERTAIN to find a reason that your service has to be shot down NOW.
People were VERY cooperative, to say the least.
Of course that doesn't mean we could let serious security risks simply ride, and neither had we services shut for trivial bullshit (though, as you can imagine, when someone tried to keep stuff hidden from us it was something that was a "shut down NOW" reason anyway, like, e.g., storing credit card numbers in plain text in an unencrypted database that is publicly accessible, just to fabricate a completely impossible example...). But it did serve to give people a good incentive to work with us instead of trying to keep stuff hidden from us.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2 things. Cash & actually FIXING THE ISSUE!
Win10 is a bug when it comes to privacy. Please fix it.
You forgot the power about empowering black females.
"I don't shoot my mouth off without knowing what I'm talking about" - by raymorris (2726007) on Thursday December 31, 2015 @09:29AM (#51215379)
Raymorris you shoot your mouth off f'ing up in 2 security fuckups https://it.slashdot.org/comments.pl?sid=5351503&cid=47379233/ & https://slashdot.org/comments.pl?sid=5351503&cid=47374033/ + raymorris = scriptkiddie https://politics.slashdot.org/comments.pl?sid=8895203&cid=51726265/
&
Tell us how ONLY 'newer script kiddie tools' have stringlength built in (when PASCAL had it for ages - my fav tool) https://slashdot.org/comments.pl?sid=8472509&cid=51114383/ YOU BLUNDERING WANNABE!
APK
P.S.=> You like to talk behind others' backs like the gossiping bitch TROLL you are raymorris https://slashdot.org/comments.pl?sid=9880997&cid=53312265/ well, here I am letting YOU TALK in those links, showing your FAILS wannabe ... apk
From the sounds of it, you are doing it right. Maybe an actual tangible reward, like a gift card or something could be added.
But I'd suggest also making sure their manager sees the same thank you.
Back in the day where ISPs would give people home directories for FTP access, and server spaces to run their own webpages, it seems they failed to lock down security. After I told them of their security oversight, my account was cancelled.
Blowjob
a booth in the lobby, next to the complaint box plz, and maybe a share to your box of yet-to-be-glazed doughnuts that havent been inspected by your IT Derp or law enforcement.
At my company, IT sends out an email or phone paging message when there's something people really need to know about. The person who originally found or reported it is given a mention for helping the company out. It makes them feel VERY special and well-pet.
It's sad but just a mention of a person's name to a large group of people for having done something that was smiled upon is enough to make most feel like a god/goddess. Human nature, I guess. It works. More people report suspicious things because they're hoping to get a mention.
It's a lot like moderation on /. - I expect no moderation because I'm answering a question, but if I discovered the latest malware that's easy to identify but only if you know what to look for, I would hope for an up-mod. Same with people in the office; they l-hu-uuuuuuuuuve the up-mod if they've helped and everyone sees/hears their name.
Pajamagram
It's what Apple does.
Goku's spirit bomb needs it more. Be logica(Score: -1, Discrimination)