Responsible Disclosure

What is responsible disclosure?

It is a term that is used to describe a specific strategy employed by an organisation when making a disclosure regarding the details of the functionality of hardware and software products being developed by that company. The general idea of this approach is to eventually make full disclosure of all relevant information regarding these products or services, while also choosing to withhold certain information for a limited period of time prior to making a full disclosure.

As described by well-known security guru Bruce Schneier on his Schneier on Security blog “Full disclosure — the practice of making the details of security vulnerabilities public — is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure. Unfortunately, secrecy sounds like a good idea. Keeping software vulnerabilities secret, the argument goes, keeps them out of the hands of the hackers. The problem, according to this position, is less the vulnerability itself and more the information about the vulnerability” (Schneier, 2007).

So, a bunch of software companies, and some security researchers, banded together and invented “responsible disclosure”. The basic idea was that the threat of publishing the vulnerability is almost as good as actually publishing it. A responsible researcher would quietly give the software vendor a head start on patching its software, before releasing the vulnerability to the public.

Why is responsible disclosure a good idea?

By employing this strategy developers have the opportunity to identify and resolve issues with their products and services while minimizing the chances of hackers being alerted to those issues and taking advantage of them.

There are different opinions regarding the use of responsible disclosure. Admirers of the concept believe that in many cases the vulnerabilities with hardware and software products are relatively undetectable during the development stages of the process and only come to light once the products are available on the open market where people start using the product or service. Once they are uncovered by selected users who make it a point to utilize the products in every possible way they can, those issues are reported back to the developers, who are then able to fix problems. The full disclosure comes about when the fixes and patches are released and made widely available to consumers. By using this more casual approach, there is less opportunity for malicious actors to take advantage of the issues, since the chances of hearing about the issues is reduced significantly.

Scotcoin bug bounty program

In light of a recent disclosure, TSP has taken the decision to announce an initial pool of 1m (1,000,000) Scotcoin worth around ~£100k at the time of writing. Bugs will attract bounties on the usual sliding scale related to their severity with self XSS attacks at the bottom of the ladder whilst RCE’s with an attached proof of concept will naturally attract top tier rewards.

Please make any disclosures to info at scotcoinproject dot com and we look forward to working with the community to create a safe, usable and practical crypto environment for Scotland and beyond.

More news