The criminalization of security research does not seem to be slowing down at any point in the near future. Even when a good Samaritan takes the time to point out that there are security flaws in a website that anyone and their trained marsupial could find without any great amount of skill. Frankly, it gives me a headache just thinking about how we keep having this same conversation.
Enter, Joshua Rogers.
From ABC News AU:
A Melbourne schoolboy has exposed a security flaw in the website of Public Transport Victoria (PTV), the government authority that provides details about train, bus and trams.
Joshua Rogers, 16, says he found the database of people who used the old Metlink online store by chance.
The database includes names, phone numbers and credit cards.
The teenager says he stumbled across the problem while browsing the website.
Personally identifiable information and credit cards? Yeah, that doesn't sound good at all. What's worse is that PTV then referred the entire matter to...the police. Sort of a nice "screw you" to Rogers for for taking his time to let them know about their glaring issue.
Casey Ellis, CEO of Bugcrowd had this to say, "The given in all of this is that vulnerabilities happen, and bad ones like this one only persist because the owner doesn’t know that they are there… So having a vulnerability go from being and unknown unknown to a known known is a good thing for the security of the business and the safety of it’s users. This is old news, but it bears repeating when stuff like this happens - Ultimately the PTV is better off for this having happened from a security perspective."
But, what about PTV calling in the police?
Ellis said, "There’s a persistent assumption that people who can hack computers are “bad”. It’s common for companies to react badly to vulnerabilities from a penetration test, let alone from an unknown researcher who has tested without permission, regardless of how valuable the information is. This is a big and key part of what Bugcrowd is trying to shift."
Now while this obviously a biased opinion ;) it is one that is shared by this scribbler. I have worked for companies who would take the position ranging from "no one would want to hack us" to "call the police, now!" when it was discovered that someone had logged into an FTP server that had no banner and anonymous access was allowed. There needs to be a rational response.
In closing Ellis offered this, "Companies need to understand that bad guys and good guys alike are going to do this anyway and decide on how they are going to respond to it. "
There is a significant and growing need for organizations and/or firms that can act as a proxy on behalf of researchers. Researchers are doing the testing whether you like it or not. You can either brace yourself and deal with researchers like adults or take your free penetration tests from the denizens of the Internet and wait for your report to be presented on the from page of the Washington Post.
What are your thoughts on bug bounties and the apparent attitude shift towards the criminalization of security research? Drop a note in the comments section.
(Image used under CC from j@ys0n)