Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues?

Posted by BeauHD on from the pat-on-the-back dept.

An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.

7 of 128 comments (clear)

  1. How about "Thank you!"? by Anonymous Coward · · Score: 5, Insightful

    How about just saying, "Thank you!" to them?

    You could also give them money.

    1. Re:How about "Thank you!"? by Anonymous Coward · · Score: 4, Funny

      Report them to the FBI for hacking. That has been the standard procedure in the past.

    2. Re:How about "Thank you!"? by Grishnakh · · Score: 4, Funny

      This is a stupid answer.

      Here's how you should actually handle people who report security issues:

      1) If you're an IT director and it's a company employee who reported it, you need to inform the upper management that you have a possible hacker in the company, and get his ass fired.

      2) If you work in a company and someone in the general public reported it, you need to notify your legal department so they can file a lawsuit against the person for defamation.

      3) If you're in government and this was reported by someone in the general public of your country, you need to notify law enforcement so they'll be arrested for hacking and thrown in prison.

      Only hackers would care about "security issues", and if that information becomes public, it will just help other hackers, so any such people need to be dealt with, extremely harshly. If you disagree, then you obviously are not in a position of power in the US.

  2. Fix the Bugs by BikeWreck · · Score: 4, Insightful

    If they go to the trouble to document and report bugs, you need to fix them quickly. This isn't limited to security bugs -- any kind of bug deserves attention. That's more thanks than they get from most vendors. Nothing will make me quit a vendor more quickly than being ignored when I make substantial, documented bug reports.

  3. Well for one thing, don't persecute them!! by ZorinLynx · · Score: 4, Insightful

    I've heard many cases of somebody reporting a security issue, then getting fired, sued, or arrested as a result. In the case of kids in school, suspended or expelled.

    They were HONEST here! They found a security problem and rather than exploit it for personal gain, they reported it, and then get in TROUBLE for it??

    It's absurd. It means when people hear of this and find security problems in the future, they'll keep quiet about them because they don't want to get in trouble too.

  4. Give them visible recognition by MobyDisk · · Score: 5, Informative

    The best way to reward users is to give them an award that is publicly visible, to encourage others to do the same.

    Anecdote: I worked at an organization that, like many others, had a public "share drive." Sometimes I would browse the folders with pictures of coworkers at after-hours events. One time, I decided to see what was on the drive, and I found an Excel spreadsheet with a list of names, last 4 digits of social security numbers, and credit cards. Excel keeps the author's name in the file, so I contacted the author. They replied with "Oh, that file is a temporary file and it gets deleted every 30 days, so don't worry about it." I forwarded the email to the company's head of security, expecting no reply. A month later I was invited to a conference room for something random, and much too my surprise, I was presented with an award in front of 20 or so people in my department. My boss told me it was handed down to him by the head of corporate security, along with an explanation of what I had done. I was in genuinely proud. Because of that event, I was more engaged with the company, and I have taken that security mindset with me. I can only hope that other employees took it to heart as well.

    I know the summary is about users reporting internal security concerns. However on a broader note, we need an industry standard fo reporting security issues. Every other day there's some story about an organization that ignored a report, or sued the researcher, or something. We need a standards body to:
    1. Create a standard form for submitting vulnerabilities (especially to 3rd-parties.)
    2. A standard way to deliver that form.
    3. A standard amount of time to wait for a response before disclosing it.
    4. A standard form to disclose it publicly, and a list of appropriate organizations to receive it.
    5. An industry-accepted expectation that, if you follow these industry standard steps, then you should be safe from lawsuits.

  5. Chocolate, Ice Cream, and Thanks all work. by dweller_below · · Score: 4, Interesting
    When I worked IT Security for a University, we took extra effort to thank anybody who reported a security issue. Here are some examples:
    • * We had an alert clerk notice that "something was off" when 3 people tried to sweet talk their way into a storage area. She flirted with them, while her co-worker called campus security. The cops had the penetration team spread and handcuffed before they could present their "Get Out Of Jail" documentation. Even then, they kept them handcuffed, until the cops called and verified the documentation. It was the first time that the penetration team had EVER had to use their documentation. I personally called and thanked everybody. I also arranged for the clerk to get a 2 pound box of the local Blue Bird Chocolates: http://bluebirdcandy.com/
    • * When we started our "Internet Skeptic" awareness campaign: https://it.usu.edu/computer-se... we would send a coupon for a free Aggie Ice Cream Cone: http://aggieicecream.usu.edu/ to the first person to report a new phish.
    • * Later, we found that prompt, public thanks worked as well as ice cream. We would promptly analyse every report, and then send out 2 sets of emails. The first would be the thank-you to the reporter. It included: Personalized thanks; A description of the scam; A report of how many others at USU were warned, thanks to their alertness. The second set of email would go out to everybody who had received a copy of the phishing scam. It included: A notification that the prior message was a fraud; Instructions for how to recover, if they had fallen for the fraud; A report of how many others also received the phish; A public acknowledgement of the alert reporter.
    • * This spring, we had a "Phishing Tournament" with various awards for reporting fraudulent emails. The grand prize was a tackle box full of goodies.

    The small amount we spend on thanks was more than repaid by the savings created by a community of alert, careful internet skeptics.