Safer reporting of PII exposure for WhiteHats

News by Jay Jay

Open Bug Bounty has launched its new GDPR PII Exposure programme which, it says, will make it easier for security researchers to report the exposure of personal data (PII) on websites to website owners.

Open Bug Bounty has launched its new GDPR PII Exposure programme which, it says, will make it easier for security researchers to report the exposure of personal data (PII) on websites to website owners in a timely, reliable and discreet manner.

The arrival of the new programme means that information about exposed personally identifiable information on websites will be restricted to the relevant organisations and researchers identifying such exposure. Once an exposure is detected by a researcher, Open Bug Bounty will carry out independent verification of the exposure and will notify the website owner through various means.

The GDPR PII Exposure programme will ensure the confidentiality of data provided by a researcher and will ensure that Open Bug Bounty will not process or store any PII, and will only require anonymised sample of data for submission verification purposes.

If it is established that certain exposed PII is in a potential violation of GDPR requirements, then website owners will be able to promptly remove or anonymise the data, intended to ensure that the exposure will be addressed.

"We only accept Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today. When reporting GDPR PII exposure, we do not store the PII but the blurred screenshot after verifying the vulnerability.

"The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. We do not accept vulnerabilities that can, or are intended to, harm a website, its data or related infrastructure," Open Bug Bounty said.

"When white hat researchers identify security or data leakage issues, they can put themselves in peril by reporting these issues to vendors or companies. It all depends on how that organisation reacts to the information – they can cooperate positively, or they can become actively hostile," said Jonny Milliken, manager of research team at Alert Logic to SC Magazine UK.

"Services such as this reduce the risk that researchers can be made personally liable for reporting leaked data – even when they are just trying to help. This can only help improve the reporting and the conversation about good security across the board. Whistleblowing for the digital age," he added.

In a piece of advice to website owners, Ilia Kolochenko, CEO of High-Tech Bridge, says that before carrying out crowd security testing, organisations must weigh the fixed costs of bug bounty management and must ensure they are well-equipped to properly handle a continuous flow of vulnerabilities.

"Open Bug Bounty offers interesting benefits for website owners such as self-regulation and no fixed costs. However, it may also require supplementary attention from your team to respectfully treat the researchers in a timely manner. Therefore, when selecting where to run a bounty programme you should consider your costs (fixed and variable), your ability to timely remediate the findings and your capacity to properly handle communications with security researchers," he says.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event