Slashdot Mirror
Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues?
An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.
Report them to the FBI for hacking. That has been the standard procedure in the past.
This is a stupid answer.
Here's how you should actually handle people who report security issues:
1) If you're an IT director and it's a company employee who reported it, you need to inform the upper management that you have a possible hacker in the company, and get his ass fired.
2) If you work in a company and someone in the general public reported it, you need to notify your legal department so they can file a lawsuit against the person for defamation.
3) If you're in government and this was reported by someone in the general public of your country, you need to notify law enforcement so they'll be arrested for hacking and thrown in prison.
Only hackers would care about "security issues", and if that information becomes public, it will just help other hackers, so any such people need to be dealt with, extremely harshly. If you disagree, then you obviously are not in a position of power in the US.