Home featured Credit: Philipp Katzenberger Featured News Tech Featured What You Need to Know about Responsible Disclosure Laurie Mercer January 27, 2021 Chief Information Security Officers wake up to a full inbox every day. The job is to reduce the risk of a security incident, protect your organisation’s digital assets, and ensure private and personal data are safe now and in the future. Keeping those assets secure is an ongoing task; many CISOs find that it is also impossible to scale security with internal resources alone. Users will discover security vulnerabilities in your systems. If an obvious reporting channel is unavailable, they are faced with an undesirable choice: contacting the CISO directly, reporting the vulnerability publicly or doing nothing. All of these options can lead to critical vulnerabilities remaining unreported, unknown, and unresolved. The Obstacles in Place When Reporting Security Risks Walking past a neighbour’s house, you see their back door has been left wide open. What would you do? You would probably call them, or send them a message to check everything is ok. However for organisations, it’s not that simple. When businesses do not empower hackers to disclose a vulnerability, the vulnerability puts the business and the public at risk. Reporting security vulnerabilities can place legal risk for the hacker and hackers may withhold vulnerable information or publish anonymously. On the other hand, when hackers report anonymously, it makes it difficult for organisations to obtain key information they might need to fix the vulnerability, and hackers do not