Anyone who talks about a culture of error in IT is actually talking about responsible disclosure. But is this principle known to everyone? Probably not – and that applies to both sides. The site that has a vulnerability and needs to close it, and the site that discovers it and should handle it responsibly.
The Responsible Disclosure procedure is used by IT experts to report vulnerabilities in software or systems in a fair and solution-oriented manner. Anyone who encounters such a security risk should first document it properly. In other words, record how the vulnerability was found, how it could affect and what steps are necessary to reproduce the vulnerability.
Then it is important to contact the developers, the manufacturers or the company responsible for the system. This is usually done via a contact provided for this purpose. At Deutsche Telekom, this is bugbounty-DE@t-mobile.cz. The next steps require transparency, patience and trust – or it will escalate at exactly this point. Because anyone who reports such a vulnerability should now give those affected appropriate time to deal with it. In other words, investigating and resolving them can take weeks or even months in complex systems from case to case.
At the same time, the dialogue must be continued so that there are no misunderstandings. Or the impression arises that reporting the vulnerability would not have helped. Ideally, both sides exchange information on the time frame and agree on how to proceed. For example, the communication about it. If the company/developer has fixed the vulnerability, or if the agreed waiting period has expired and there is no adequate response, the time may have come to make the vulnerability public by other means. For example, to warn other users. This is also fair, because there was the possibility to change something about this situation. Unless someone finds a vulnerability and while they are still in contact with those affected, the rest of the world also learns about it via social media. This is rather unfair and has nothing to do with Responsible Disclosure. After all, it is essentially about treating sensitive information confidentially and not about punishing developers for mistakes. Just to live a positive culture of error.
Where people work, people also make mistakes. Dealing with this appropriately is important in the sense of a common error culture. At Deutsche Telekom, we believe in Responsible Disclosure and reward information through a bug bounty program. In this way, we have gained valuable insights over the years – thanks to the help of talented security researchers. To whom we thank for helping us to become better. You can find more information here.
