Team we45
November 1, 2016


What triggered this article was my umpteenth email to the CTO, VP of Engineering and the Security Analyst of a leading food delivery platform. We at we45 have been trying to reach them for the past 3 months, to wilfully and responsibly disclose a full-blown security bug that our guys had researched on. I will not get into what the bug was but I can tell you this - the bug had a direct financial business impact on their operations and WILL have an impact on their top and bottom lines.

There continues to be one constant nagging voice in my head for all these months - "How does one choose to ignore such a message?" Do they think of it as a False Alarm? Do they feel awkward to accept an unintentional security bug? Are they going to make their internal security team look bad? However one looks at it - the bottom line seems to be some kind of inertia. Right? Well, before we begin pointing fingers, I tried wearing the hat of a recipient of such an email and three major thoughts crossed my mind.

The inorganic rise of consumer (mobile) applications have drawn the attention of cyber security firms worldwide. Responsible disclosure (with a capital "R") of security vulnerabilities is a common practice and is well accepted. In fact, some run perennial Bug Bounties on their platforms. It seems quite obvious that such bounties are always a "Win-Win". Which brings us back to the question - "Why would companies choose to go silent on such disclosures".

  • Aim and Fire - Security Disclosures are serious business. While companies appreciate disclosures of security loopholes, they would also prefer it to be addressed to the right audience. If you have a disclosure, don't flaunt it. It takes just a little bit of effort to address it to the right person. Broadcasting these emails to a larger group within the company often tends to be counter-productive. Remember - never, I repeat NEVER use a language that could even remotely suggest holding the customer to ransom! That's a road you don't want to go down.
  • The Whole Nine Yards - This is something that I've heard my customers complain about a lot. Heads of Engineering or Product Development often get disclosure emails with phrases like "Found something interesting", "Some serious issues", "seems to be vulnerable to" etc. Such emails make them more uncomfortable than the bug itself! If you've actually stumbled upon something - go ahead and explain the finding with explanations or supporting evidences. Incomplete disclosure emails are often considered to be spammy or even offensive.
  • When in Rome – It’s extremely important to speak the language of your audience. In most cases, disclosure mails are often too cryptic to decipher for a non-tech CEO and understand the seriousness or impact of the finding. While it’s important to go the whole nine-yards, it’s equally important to translate a (application) security bug into potential tangible business impact.

There really is no set formula to understand the psyche of a "victim" - however fatal the vulnerability. That said, reaching the right people, at the right time with the right tone seems to be key.