Highlighting cases where organisations were informed—sometimes by researchers or “white hat” hackers—of vulnerabilities but did not take appropriate action, a ZDNet report quotes Bugcrowd’s Jonathan Cran as saying, “It really comes down to 'don't be a jerk'—on both sides. But that's not legally scalable … Unless the organization defines what they expect with a responsible disclosure or bug bounty policy, the researcher is often left guessing." Cran discusses the importance of organisations becoming “proactive in defining 'reasonable' or 'responsible'—and setting expectations” or researchers are left “to decide what it means for both parties. Often, researchers have a sense of civic responsibility to let the public know what they've found."
Full Story
Comments
If you want to comment on this post, you need to login.