A friend tweeted to me tonight:
.@PogoWasRight you have been beating this drum and saying this for a long time now… years. “report reveals they are instead ‘frequently ignored or misunderstood”. Now u have a report! 😉https://t.co/WYu94gQQfu
— Commissioner Miner (@fanCRTCProfling) January 19, 2018
Indeed we do.
Carly Page reports:
One in four ethical hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.
That’s according to HackerOne’s ‘2018 Hacker Report‘, which surveyed 1,698 members of the hacking community – making it the largest documented survey ever conducted of the ethical hacking community.
One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).
This doesn’t mean the hackers don’t try – with HackerOne noting that many attempt to contact firms via social media and email but are “frequently ignored or misunderstood.”
Read more on Inquirer.net. And keep in mind that the rate of reporting will drop and/or be chilled if law enforcement treats ethical hackers or greyhats like blackhats and attempts to prosecute them. Our federal hacking statute, CFAA, needs updating and revision and the revisions need to provide protection to researchers who attempt to responsibly disclose what they have found.