How to handle security vulnerability reports

There are people out there willing to help with your company’s security issues. Isn’t it time your company had its own ‘see something, say something’ policy?

backlit keyboard
Colin

If there’s a flaw in your IT security — and there probably is — you can’t assume that someone in your organization will be the first to find it. But if you’re lucky, instead of ending up with ransomware or a data breach, you might hear about it from a security researcher or even a smart customer who’s spotted the problem and wants to warn you. Are you ready to listen?

Many companies aren’t, warns security consultant Troy Hunt. Hunt runs haveibeenpwned.com, a website that helps people discover if any of their accounts have been compromised by data breaches. Because of his role with the website, he routinely finds himself in a position to contact organizations about breaches and other security issues that he’s found or that other people pass on to him.

“It’s often very difficult just to get in touch with a company in the first place — even the big ones. I’m going through multiple data breaches and I just can’t get the contacts,” he told CIO.com. When he discovered some 40,000 patient reports from an Indian pathology lab — including sensitive information like HIV status — were publicly available, the obvious ways of contacting the lab didn’t work. “Email was bouncing; even the WHOIS contact information for their domain was bouncing.”

To continue reading this article register now

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.