Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues?

An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.

Re:How about "Thank you!"?

Thank them via email and CC their manager.

Or, perhaps, thank their manager and CC your manager (and the end user).

How do I find companies that hire people like you?

Your attitude clearly demonstrates you care about the end users in your network. As a former corporate peon, this is refreshing.

Re:Well for one thing, don't persecute them!!

[Grishnakh]

Reporting "security issues" just makes people in power look bad, so it makes perfect sense that it would be strongly discouraged in such ways (fired, sued, arrested).

The simple thing to do: do not EVER report any security issues you come across. It's not going to benefit you in any way, and is quite likely to harm you greatly. Just forget you saw anything and don't say anything to anyone. If this means your company is likely to get hacked so badly that they're going to go under, then they were already circling the drain, so you should just start looking for a new gig.

Chocolate, Ice Cream, and Thanks all work.

[dweller_below]

When I worked IT Security for a University, we took extra effort to thank anybody who reported a security issue. Here are some examples:

• * We had an alert clerk notice that "something was off" when 3 people tried to sweet talk their way into a storage area. She flirted with them, while her co-worker called campus security. The cops had the penetration team spread and handcuffed before they could present their "Get Out Of Jail" documentation. Even then, they kept them handcuffed, until the cops called and verified the documentation. It was the first time that the penetration team had EVER had to use their documentation. I personally called and thanked everybody. I also arranged for the clerk to get a 2 pound box of the local Blue Bird Chocolates: http://bluebirdcandy.com/
• * When we started our "Internet Skeptic" awareness campaign: https://it.usu.edu/computer-se... we would send a coupon for a free Aggie Ice Cream Cone: http://aggieicecream.usu.edu/ to the first person to report a new phish.
• * Later, we found that prompt, public thanks worked as well as ice cream. We would promptly analyse every report, and then send out 2 sets of emails. The first would be the thank-you to the reporter. It included: Personalized thanks; A description of the scam; A report of how many others at USU were warned, thanks to their alertness. The second set of email would go out to everybody who had received a copy of the phishing scam. It included: A notification that the prior message was a fraud; Instructions for how to recover, if they had fallen for the fraud; A report of how many others also received the phish; A public acknowledgement of the alert reporter.
• * This spring, we had a "Phishing Tournament" with various awards for reporting fraudulent emails. The grand prize was a tackle box full of goodies.

The small amount we spend on thanks was more than repaid by the savings created by a community of alert, careful internet skeptics.