You might think you’re doing a good deed by reporting a bug or malfunction in connection with a company’s website, but the truth is that not all organisations will thank you for it. Until quite recently, those reporting issues relating to US government sites could have been faced with tough prosecution due to unauthorised use. Thankfully, times have changed and the agency is now more open to receiving information about possible vulnerabilities to its domains.
Though the government is now encouraging security researchers to contact them in the event of online security breaches with the help of a new policy, this is, for now, strictly limited to a selection of domains.
What this means is that researchers who stumble upon any identifiable personal, proprietary or financial information on one of the given domains are urged to contact the Technology Transformation Service as a matter of urgency. TTS is a department of the General Services Administration, with one of its responsibilities being to fix any such loopholes as quickly as possible.
Though some errors can slip through the net, companies and organisations can make their lives easier by using a software testing service such as the one provided by BugFinders (see https://www.bugfinders.com). By using a global team of human software testers, all angles are covered.
How to report an issue
As stated, any vulnerabilities to US government sites are to be reported to TTS with all supporting information. It is possible to contact the department anonymously if you want to be certain that you won’t get caught for snooping but as long as your discovery was found in good faith then there shouldn’t be any doubt. Just look at how things turned out for this high school student who hacked Pentagon sites and got away with it – http://www.reuters.com/article/us-usa-pentagon-cyber-idUSKCN0Z32IU.
What’s in the fine print
The policy demands that reports indicate where exactly the vulnerability was found, how to recreate the fault, how it might impact on the agency and any other relevant information. Non-technical bug testing, as well as user interface bugs, are not permitted as they are deemed unreasonable tests. As such, any researchers reporting bugs stemming from these kinds of exploits are not protected from prosecution. Finally, TTS insists on a non-disclosure policy for at least 90 days after having reported the vulnerability to them.