security issue reporting procedures ?

[zerog2k]

Emporia,

What is your security reporting procedure and responsible disclosure policy?

ref:

https://www.hackerone.com/blog/What-Vulnerability-Disclosure-Policy-and-Why-You-Need-One

 

[Ted @ Emporia]

 

We don’t have a formal process in place yet.  We’re a small dev team working to release new features and haven’t had time to figure out if the best process is to hire HackerOne or not.

We’ve had a couple of customers reach out about issues which we then resolved.

What do you suggest as a first step?

[zerog2k]

Do you have an email which a party wishing to make a responsible disclosure can correspond with your team?
This public forum is probably not appropriate for reporting possibly sensitive issues.

Regarding the responsible disclosure policy, part of it is about establishing a reporting process and commitments to prioritize fixing issues, but also about assurances that responsible disclosures made in good faith will be treated in good faith, and that the reporter would not be penalized.

It’s not surprising that some companies react to be being notified about potential security issues by threatening the messenger with legal action – which has a chilling effect on responsible disclosure. The policy just helps set expectations on all sides.

 

[Emporia Support]

Hi @zerog2k,

Sorry for the delayed response. We agree with the points you’ve provided above. We’ll be having discussions around this concept within the company and I hope to have updates to share soon (although I don’t want to commit to a specific timeline). If you have a particular concern, please feel free to reach out directly to the Support team and we can discuss any issues you have outside of the public forum. Thanks!

Emporia Support Team

[Author]

Posts