Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues?

Posted by BeauHD on from the pat-on-the-back dept.

An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.

64 of 128 comments (clear)

  1. How about "Thank you!"? by Anonymous Coward · · Score: 5, Insightful

    How about just saying, "Thank you!" to them?

    You could also give them money.

    1. Re:How about "Thank you!"? by Anonymous Coward · · Score: 4, Funny

      Report them to the FBI for hacking. That has been the standard procedure in the past.

    2. Re:How about "Thank you!"? by MightyMartian · · Score: 1

      Absolutely! Anyone who finds any kind of security issue and then reveals it needs to be pursued and punished so severely that everyone who finds such issues just pretends they didn't see it and moves on. That'll make things REALLY secure!

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:How about "Thank you!"? by Anonymous Coward · · Score: 3, Informative

      Absolutely! Anyone who finds any kind of security issue and then reveals it needs to be pursued and punished so severely that everyone who finds such issues just pretends they didn't see it and moves on. That'll make things REALLY secure!

      You seem to be under the mistaken assumption that solving security problems is actually the end goal here. It's not. The end goal is to avoid personal or company liability, in which case congratulating someone is the WRONG thing to do because then you admit the product has a problem, and thus you are liable.
      Call the FBI is indeed the only correct answer.

    4. Re:How about "Thank you!"? by Anonymous Coward · · Score: 2, Interesting

      Thank them via email and CC their manager.

      Or, perhaps, thank their manager and CC your manager (and the end user).

    5. Re:How about "Thank you!"? by Grishnakh · · Score: 4, Funny

      This is a stupid answer.

      Here's how you should actually handle people who report security issues:

      1) If you're an IT director and it's a company employee who reported it, you need to inform the upper management that you have a possible hacker in the company, and get his ass fired.

      2) If you work in a company and someone in the general public reported it, you need to notify your legal department so they can file a lawsuit against the person for defamation.

      3) If you're in government and this was reported by someone in the general public of your country, you need to notify law enforcement so they'll be arrested for hacking and thrown in prison.

      Only hackers would care about "security issues", and if that information becomes public, it will just help other hackers, so any such people need to be dealt with, extremely harshly. If you disagree, then you obviously are not in a position of power in the US.

    6. Re:How about "Thank you!"? by buswolley · · Score: 1

      You can give them one of these!!!
      https://society6.com/product/w...

      Or if they steal all your info send them one of these:
      https://society6.com/product/b...

      --

      A Good Troll is better than a Bad Human.

    7. Re:How about "Thank you!"? by plopez · · Score: 2

      how about a "Wall of Fame" website. Post their names, email addresses, physical addresses, social security numbers, and mothers maiden names.

      --
      putting the 'B' in LGBTQ+
    8. Re:How about "Thank you!"? by Wootery · · Score: 1

      Surely a sensible manager would realise that the real liability is in getting owned by a genuinely malicious attacker, no?

    9. Re:How about "Thank you!"? by AmiMoJo · · Score: 1

      You can run a bug bounty programme internally and it won't create liability, because that is industry best practice. In fact these days if I were suing some company over a security breech then the lack of a safe way to report problems and some kind of reward scheme would be evidence of their negligence.

      We went down this route long ago. Humans are imperfect, sometimes they make mistakes when engineering stuff, but there is only liability if reasonable measures were not taken to detect and mitigate the problems.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:How about "Thank you!"? by sabbede · · Score: 1

      That's what I do. Then I follow it up with something like, "Great job, you did exactly right."

    11. Re:How about "Thank you!"? by Anonymous Coward · · Score: 1

      You forgot:

      4) Start a war with Russia because obviously they did it.

    12. Re:How about "Thank you!"? by Big+Hairy+Ian · · Score: 1

      Assuming they've given you a reasonable amount of time to resolve the issue and issue patches and you do. No thanks are necessary, however, regardless of whether you've fixed the defect or not after a reasonable amount of time they will go public.

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  2. Show there how to break into the best porn sites by mykepredko · · Score: 1

    A bit ironic, but I'm sure it would be appreciated!

    --
    Mimetics Inc. Twitter
  3. Fix the Bugs by BikeWreck · · Score: 4, Insightful

    If they go to the trouble to document and report bugs, you need to fix them quickly. This isn't limited to security bugs -- any kind of bug deserves attention. That's more thanks than they get from most vendors. Nothing will make me quit a vendor more quickly than being ignored when I make substantial, documented bug reports.

  4. Well for one thing, don't persecute them!! by ZorinLynx · · Score: 4, Insightful

    I've heard many cases of somebody reporting a security issue, then getting fired, sued, or arrested as a result. In the case of kids in school, suspended or expelled.

    They were HONEST here! They found a security problem and rather than exploit it for personal gain, they reported it, and then get in TROUBLE for it??

    It's absurd. It means when people hear of this and find security problems in the future, they'll keep quiet about them because they don't want to get in trouble too.

    1. Re:Well for one thing, don't persecute them!! by burtosis · · Score: 1

      I've heard many cases of somebody reporting a security issue, then getting fired, sued, or arrested as a result. In the case of kids in school, suspended or expelled.

      They were HONEST here! They found a security problem and rather than exploit it for personal gain, they reported it, and then get in TROUBLE for it??

      It's absurd. It means when people hear of this and find security problems in the future, they'll keep quiet about them because they don't want to get in trouble too.

      Damn I was going to say "don't prosecute them" but you beat me to it. The parent needs a mod point or two as it is ridiculous when that happens.

    2. Re:Well for one thing, don't persecute them!! by Grishnakh · · Score: 2, Interesting

      Reporting "security issues" just makes people in power look bad, so it makes perfect sense that it would be strongly discouraged in such ways (fired, sued, arrested).

      The simple thing to do: do not EVER report any security issues you come across. It's not going to benefit you in any way, and is quite likely to harm you greatly. Just forget you saw anything and don't say anything to anyone. If this means your company is likely to get hacked so badly that they're going to go under, then they were already circling the drain, so you should just start looking for a new gig.

    3. Re:Well for one thing, don't persecute them!! by ZorinLynx · · Score: 1

      I specifically said "persecute" not "prosecute" because the former sorta encompasses the latter, and it's not always "prosecution" per-say. It's sometimes suspension, firing, etc...

      Just clearing that up!

    4. Re:Well for one thing, don't persecute them!! by Grishnakh · · Score: 2

      aaaand this is how western society rotts to the point of collapse.

      Yep. But doing the right thing isn't going to fix this, it's just going to get you in trouble. It's up to our leaders to fix this kind of stuff, but they're not doing it, and we're happily choosing the worst leaders possible, so it's really hopeless. Best to just keep your head down and look for a convenient exit when things get bad enough, and set yourself up to get out when the time is right.

      You really have to do some serious analysis on the conditions that create these ridiculous situation because this is a bad state of affairs.

      Yes, it would be really interesting to see someone write up a good academic analysis of this. It's probably hard to do though, without the lens of history and time. Hindsight is 20/20 and all that.

    5. Re:Well for one thing, don't persecute them!! by JWSmythe · · Score: 1

      That's why I'll only share such findings anonymously. Or at least anonymous enough. Go ahead, sue or attempt prosecution on John Smith who lives at 1 Main St, Anytown USA.

      --
      Serious? Seriousness is well above my pay grade.
    6. Re:Well for one thing, don't persecute them!! by AmiMoJo · · Score: 1

      Morally it's best to report it anonymously. Then when your ex-boss is in court claiming he knew nothing and it's all your fault, you can point to that anonymous email as evidence that he is lying.

      Just be sure to use Tor and a disposable email address, and obviously not from a work computer, and don't give any details that could reveal your identity.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Well for one thing, don't persecute them!! by Agripa · · Score: 1

      The simple thing to do: do not EVER report any security issues you come across. It's not going to benefit you in any way, and is quite likely to harm you greatly.

      And the best thing to do is anonymously announce it to the world. It is the only way it will get fixed and revenge is sweet.

    8. Re:Well for one thing, don't persecute them!! by Agripa · · Score: 1

      aaaand this is how western society rotts to the point of collapse. You really have to do some serious analysis on the conditions that create these ridiculous situation because this is a bad state of affairs.

      So? Any society that cannot correct these problems deserves to rot. We had almost 200 years to fix it and did not. We did not even seriously try.

      Politician lawyers and scavengers, but I repeat myself, love a rotting corpse.

  5. By Paying Attention to their Reports by tinkerton · · Score: 1

    If you demonstrate that you take the report seriously. So just showing a good followup of the report, with progress and fixes.
      That means having the resources since without resources nobody'll be happy.

  6. By actually following through by darkain · · Score: 2

    I've been reporting security issues in local businesses that I deal with. One is an ISP that stores and emails users passwords in plain text. Another is a bank exposing credit card numbers in plain text. When I report this shit, I expect actual follow through in fixing them. In the former case, the ISP literally gave me a "not our problem" response, while the bank said they'd contact me back and never did (still need to check to see if this issue has at least been resolved though).

    1. Re:By actually following through by grep+-v+'.*'+* · · Score: 2

      Another is a bank exposing credit card numbers in plain text.

      Don't worry -- I'll check for you so you don't have to bother with it. Which bank was that again....? ;-)

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  7. Send a copy of the thank you letter by zedaroca · · Score: 1

    To every congressman in the country, asking them to repel the CFAA or at least heavily reform it, while also making a huge PR stunt about it.

  8. Simple by motorsabbath · · Score: 1

    Fix the problem, promptly.

    --
    The heat from below can burn your eyes out
  9. just don't let them know you sent it by Tablizer · · Score: 2

    Hack directly to their screen and display, "Thanks for reporting the security issue. -Anonymous Coward"

    --
    Table-ized A.I.
  10. oh, i know! i know! by FudRucker · · Score: 1

    send them a 500 dollar gift card

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re: oh, i know! i know! by Opportunist · · Score: 1

      Why, sure, I have to know it works. Imagine handing out a gift card and then finding out that it's no good, that would be embarrassing!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Give 'em money. I'm not even kidding. by Da+w00t · · Score: 1

    Want to know when somebody finds a XSS vuln in your timesheet app? Give 'em a starbucks gift card. Or a $20 pre-paid gift debit card they can use anywhere.

    Sure, employees will try to game the system at first, and you'll find loopholes in your "rules" of the game. But the end result is net positive:

    1) Your employees are *paid* and *happy* to notify the company of vulnerabilities, and
    2) You. Fucking. Fix. Vulnerabilities.

    Seriously, it's a net win for both the company and the employees. Just do it.

    --

    da w00t. mtfnpy?
  12. Easy! by frank_adrian314159 · · Score: 1

    Lawsuit. At least that seems to be industry best practice...

    --
    That is all.
  13. Re:Who cares? by Anonymous Coward · · Score: 1

    Way to miss the point. Sure hope I never work with you.

    The deal is, how do you get people to actually follow recommended practices. Some places I've worked IT has had a lock on everything and it was annoying to users, but systems pretty much did what they should. Other places people just did whatever and IT was always playing catch up.

    Why is this, and how is compliance achieved? is the question.

  14. Back in olden times... by HotNeedleOfInquiry · · Score: 1

    We'd just toss them in jail...

    --
    "Eve of Destruction", it's not just for old hippies anymore...
  15. Give them visible recognition by MobyDisk · · Score: 5, Informative

    The best way to reward users is to give them an award that is publicly visible, to encourage others to do the same.

    Anecdote: I worked at an organization that, like many others, had a public "share drive." Sometimes I would browse the folders with pictures of coworkers at after-hours events. One time, I decided to see what was on the drive, and I found an Excel spreadsheet with a list of names, last 4 digits of social security numbers, and credit cards. Excel keeps the author's name in the file, so I contacted the author. They replied with "Oh, that file is a temporary file and it gets deleted every 30 days, so don't worry about it." I forwarded the email to the company's head of security, expecting no reply. A month later I was invited to a conference room for something random, and much too my surprise, I was presented with an award in front of 20 or so people in my department. My boss told me it was handed down to him by the head of corporate security, along with an explanation of what I had done. I was in genuinely proud. Because of that event, I was more engaged with the company, and I have taken that security mindset with me. I can only hope that other employees took it to heart as well.

    I know the summary is about users reporting internal security concerns. However on a broader note, we need an industry standard fo reporting security issues. Every other day there's some story about an organization that ignored a report, or sued the researcher, or something. We need a standards body to:
    1. Create a standard form for submitting vulnerabilities (especially to 3rd-parties.)
    2. A standard way to deliver that form.
    3. A standard amount of time to wait for a response before disclosing it.
    4. A standard form to disclose it publicly, and a list of appropriate organizations to receive it.
    5. An industry-accepted expectation that, if you follow these industry standard steps, then you should be safe from lawsuits.

  16. Stop bothering us with security "issues"! by shanen · · Score: 1

    Best way to report security issues and problems? Are you daft?

    1. They don't want to be bothered
    2. They want to "look good" as cheaply as possibly
    3. No liability

    Is it worth the expansion? Here on Slashdot? I must be daft, but I'll say a bit more:

    As regards #1 and many years of attempting to report problems, I can assure you that they [various organizations who, in theory, might be responsible for protecting your security as customers and users] are NOT grateful. These days the trend has become pigeonholing incoming reports to conveniently shaped holes, and it must be the fault of the black-hat hackers and scammers that they keep violating the RULES and keep failing to fit in the proper holes!

    As regards #2 the main goal is to do as little as possible while claiming as much credit as possible. Control the costs and regard it as a marketing issue, but (just in case you haven't noticed) the marketing people don't know much and care even less about security.

    As regards #3, I think the primary blame goes to Microsoft. They didn't invent liability evasion, but I think they perfected it with the EULA and related licenses. If the companies selling you software had any real liability for bugs (and especially for contagiously and outrageously harmful security flaws), then you can be assured they would stop selling so much pretty garbage.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  17. Fix them ASAP. by Ash-Fox · · Score: 1

    Litterally, just fix them ASAP.

    --
    Change is certain; progress is not obligatory.
  18. Take a Cue From our Corporate Overlords by nsuccorso · · Score: 1

    Send them a threatening letter from your legal team, along with a DMCA takedown notice.

    1. Re:Take a Cue From our Corporate Overlords by supremebob · · Score: 1

      I guess that it's better than being labeled a "cyber terrorist" and rotting in Gitmo for the next 25 years.

  19. Let's rewind here for a second by buss_error · · Score: 1
    Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices.

    My workplace has many security "features". I am a long time IT worker above level III.
    From cold boot to being productive takes longer than 10 minutes due to the security feature of being able to use the 2FA token exactly once, then having to wait for the next one (90 seconds on average). This is really a "nice" feature when your infrastructure is completely down and you have C level execs screaming to get it back up. (Yes, it's load balanced and it has HA pairs all over the joint, but while rare, the whole thing can pack it in sometimes. Budget constraints.)
    If your users are taking a "fuck it" attitude, that can at times be put down to them. Other times, put it down to security for the sake of security and becoming an obstacle, rather than meaningful procedure.

    As for thanking a user, I find a simple "Wow. Holy cow. Thanks, we need to fix that!" and keeping them in the loop if they want is best.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  20. How do I find companies that hire people like you? by Anonymous Coward · · Score: 2, Interesting

    Your attitude clearly demonstrates you care about the end users in your network. As a former corporate peon, this is refreshing.

  21. derp by JThundley · · Score: 1

    Let them keep their job.

  22. You mean like they do now? by tylersoze · · Score: 2

    By prosecuting them to the fullest extent of the law?

  23. Sue them! by Anonymous Coward · · Score: 1

    Teach them to never, ever do it again.

  24. Blowjobs by nospam007 · · Score: 1

    A coupon for an espresso and a blowjob in Switzerland.(and the flight perhaps)

    http://www.eater.com/2016/6/24...

  25. Good answer by raymorris · · Score: 2

    This is one of the few useful answers posted.

    1. Re:Good answer by jofas · · Score: 1

      No, it's not. You don't CC anyone's manager unless you're trying to get them fired. Doesn't sound like you've been in the workforce very long.

  26. My incentive plan ... by CaptainDork · · Score: 1

    ... was to send out an email to firm@..... that actually did hit all members of the firm, including the partners, to brag on a person who asked me if, "the UPS link," was OK or not.That way, I got a chance to:

      Make a coworker (fuck the "user" mentality) feel good
      Make a coworker look good to peers and management
      Lecture the entire work universe about security (again, and again, and again)
      Head off the, "Well, no one ever told me ..." crap

    I was a broken record, and sometimes a person would screw up (I kept that between the two of us) but it was about the best I could come up with.

    --
    It little behooves the best of us to comment on the rest of us.
  27. Chocolate, Ice Cream, and Thanks all work. by dweller_below · · Score: 4, Interesting
    When I worked IT Security for a University, we took extra effort to thank anybody who reported a security issue. Here are some examples:
    • * We had an alert clerk notice that "something was off" when 3 people tried to sweet talk their way into a storage area. She flirted with them, while her co-worker called campus security. The cops had the penetration team spread and handcuffed before they could present their "Get Out Of Jail" documentation. Even then, they kept them handcuffed, until the cops called and verified the documentation. It was the first time that the penetration team had EVER had to use their documentation. I personally called and thanked everybody. I also arranged for the clerk to get a 2 pound box of the local Blue Bird Chocolates: http://bluebirdcandy.com/
    • * When we started our "Internet Skeptic" awareness campaign: https://it.usu.edu/computer-se... we would send a coupon for a free Aggie Ice Cream Cone: http://aggieicecream.usu.edu/ to the first person to report a new phish.
    • * Later, we found that prompt, public thanks worked as well as ice cream. We would promptly analyse every report, and then send out 2 sets of emails. The first would be the thank-you to the reporter. It included: Personalized thanks; A description of the scam; A report of how many others at USU were warned, thanks to their alertness. The second set of email would go out to everybody who had received a copy of the phishing scam. It included: A notification that the prior message was a fraud; Instructions for how to recover, if they had fallen for the fraud; A report of how many others also received the phish; A public acknowledgement of the alert reporter.
    • * This spring, we had a "Phishing Tournament" with various awards for reporting fraudulent emails. The grand prize was a tackle box full of goodies.

    The small amount we spend on thanks was more than repaid by the savings created by a community of alert, careful internet skeptics.

  28. Works in the military by Anonymous Coward · · Score: 1

    What we do is send a letter to their commander commending them (the commander) and the person who identified the problem. Commanders love getting their egos stroked, and love handing out letters in big meetings. Like full formal ceremony bullshit, major blah blah blahs, private walks up to the front, gets presented the letter just the same as a medal, shake hands, pose for a photo, salute. It's fucking hilarious, but they eat this shit up.

  29. Currently by hcs_$reboot · · Score: 1

    Currently the way to thank users who report security issues is: "Fuck off!"

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  30. Prison Time. by edibobb · · Score: 1

    What's wrong with the way it is now?

  31. Re:Money by plopez · · Score: 1

    why would i want 10s ?

    --
    putting the 'B' in LGBTQ+
  32. BOFH way to say thank you... by ctrl-alt-canc · · Score: 1

    1) Send email thanking for the report, and solicit them to visit a site for getting more info.
    2) When they browse the site grab at once user's IP address.
    3) Exploit the vulnerability they reported by hacking into their system.
    4) Delete everything you can.

  33. Ban them by majorme · · Score: 1

    Your software is perfect

  34. Find a way to give them "special service" by Opportunist · · Score: 1

    If your company does not aid you with an official reward system, create your own within the limits of your ability.

    I was working in risk management and security assessment a while ago. Basically our job was to find security problems and decide whether we can carry the risk if we find one or whether a service has to go. As you can imagine, that does give you a bit of a wiggle room concerning the severeness of a problem. And we soon made it a public secret that reporting a problem you find in your own system yourself gives you usually a way lower assessment than one that was found by someone else, and if we find out you tried to cover it up, we would make CERTAIN to find a reason that your service has to be shot down NOW.

    People were VERY cooperative, to say the least.

    Of course that doesn't mean we could let serious security risks simply ride, and neither had we services shut for trivial bullshit (though, as you can imagine, when someone tried to keep stuff hidden from us it was something that was a "shut down NOW" reason anyway, like, e.g., storing credit card numbers in plain text in an unencrypted database that is publicly accessible, just to fabricate a completely impossible example...). But it did serve to give people a good incentive to work with us instead of trying to keep stuff hidden from us.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  35. Making decent bug reports?! by fbobraga · · Score: 1

    What Is the Best Way To Thank Users For Reporting Security Issues?

    1. Re:Making decent bug reports?! by fbobraga · · Score: 1

      If a dev needs a "Thank You" after do his job, he/she are doing it wrong...

    2. Re:Making decent bug reports?! by nanospook · · Score: 1

      It's not a question of need, it's a question of letting a community know that someone did the right thing so "they" do the right thing..

      --
      Have you fscked your local propeller head today?
  36. At my company... by poofmeisterp · · Score: 1

    At my company, IT sends out an email or phone paging message when there's something people really need to know about. The person who originally found or reported it is given a mention for helping the company out. It makes them feel VERY special and well-pet.

    It's sad but just a mention of a person's name to a large group of people for having done something that was smiled upon is enough to make most feel like a god/goddess. Human nature, I guess. It works. More people report suspicious things because they're hoping to get a mention.

    It's a lot like moderation on /. - I expect no moderation because I'm answering a question, but if I discovered the latest malware that's easy to identify but only if you know what to look for, I would hope for an up-mod. Same with people in the office; they l-hu-uuuuuuuuuve the up-mod if they've helped and everyone sees/hears their name.

  37. Re: Show there how to break into the best porn sit by Falos · · Score: 1

    Goku's spirit bomb needs it more. Be logica(Score: -1, Discrimination)

  38. Re: Money by plopez · · Score: 1

    Lincoln is on the 5. Ben is on the 100.

    --
    putting the 'B' in LGBTQ+