What triggered this article was my umpteenth email to the CTO, VP of Engineering and the Security Analyst of a leading food delivery platform. We at we45 have been trying to reach them for the past 3 months, to wilfully and responsibly disclose a full-blown security bug that our guys had researched on. I will not get into what the bug was but I can tell you this - the bug had a direct financial business impact on their operations and WILL have an impact on their top and bottom lines.
There continues to be one constant nagging voice in my head for all these months - "How does one choose to ignore such a message?" Do they think of it as a False Alarm? Do they feel awkward to accept an unintentional security bug? Are they going to make their internal security team look bad? However one looks at it - the bottom line seems to be some kind of inertia. Right? Well, before we begin pointing fingers, I tried wearing the hat of a recipient of such an email and three major thoughts crossed my mind.
The inorganic rise of consumer (mobile) applications have drawn the attention of cyber security firms worldwide. Responsible disclosure (with a capital "R") of security vulnerabilities is a common practice and is well accepted. In fact, some run perennial Bug Bounties on their platforms. It seems quite obvious that such bounties are always a "Win-Win". Which brings us back to the question - "Why would companies choose to go silent on such disclosures".
There really is no set formula to understand the psyche of a "victim" - however fatal the vulnerability. That said, reaching the right people, at the right time with the right tone seems to be key.