Tuesday, 8 January 2013

Anonymous Vulnerability Reporting Service

Is there an Anonymous Vulnerability Reporting Service out there?

Basically one where it is possible to report a vulnerability on a website without worrying about the other side throwing a tantrum and accusing the messenger with 'malicious hacking'?

It is a sad state of our industry that this is needed, but with the current computer criminal laws making all internet users a potential criminal, it is too risky to put a carrer in a the hands of the company that created the vulnerable product or service.

Ideally this service would allow:

  • Anonymous reporting of a vulnerability in XYZ product or website (in a way that it is not possible to trace back the entity/person who reported the vulnerability)
  • Data encryption so that only the target company/owner could see the information
  • Two way communication channel between both parties
  • All details published after the vulnerability is fixed (with maybe sometime made available for patching)
All data should be stored in Git repo so that there is data integrity (with maybe an unique identified being added so that the entity reporting the vulnerability could (if desired) clame authorship of the discovery).

Btw: If you think that there should be no anonymity on the internet, read the Hacking the Future, Privacy, Identiy and Anonymity on the Web

1 comment:

Romich said...

There is a site called xssesd.com however it meets none of your requirements except of anonymous reporting (assuming a reporter can register under a fake name using an anonymise) . There was another company which I don't recall the name that actually sells this service to clients. So they monitor hacker sites, forums etc, and also get stuff submitted to them from "responsible" hackers. Then they turn around and sell this info on subscription basis to their customer. The problem here - selling this info is borderline to extortion. (at least in some companies view)
The other issue with your requirements is that a hacker, in my mind, would need to have incentive to submit this information. It can be recognition, some positive feedback on my linkedin page, a t-shirt whatever. But just reporting it into a vacuum without any feedback is probably not what they will do.