Ron Nahamias, Cyberpion co-founder and CBO, has a piece in Security Magazine that includes a topic near and dear to my heart — companies that do not provide a way to notify them of a security breach, leak, or vulnerability. He writes, in part:
Sometimes the burying of the head in the sand, even if it’s borne out of desperation and a practice of being overworked and understaffed, turns into something deliberate.
But while companies are dragging their feet, bad actors are mobilizing their armies. In my own work, I’ve met CISOs — more than I care to admit — who create an email address that doesn’t even fit their company’s standard. This makes them harder to contact, and therefore, essentially impossible to alert. Some organizations’ existing disclosure programs are even designated as “top secret,” bound by strict NDAs and accessible by invitation only. The drawbridge is always up; the moat is considered impossible. And what organizations don’t know, they are not beholden to either address or resolve. I’ve also run into plenty of organizations who declare outright that they don’t want to want to receive disclosures, because they have no desire and / or no capacity to deal with the liabilities created by them.
Read more on Security Magazine.
For the last 15 years, I have been loudly yelling that entities should be required to have monitored accounts/contact information displayed on their web site that tells people how to contact them to report a breach (or leak or any security concern). The current situation remains lopsided: ethical researchers have a duty to disclose responsibly, but entities have no legal obligation to make such disclosure possible and successful by providing working and monitored contact methods.
Isn’t it time the government made this mandatory? Isn’t it time, already?