This policy supports our commitment to making our online systems as safe and secure as possible, and resolving any security issues in a way that minimises risk and disruption for our customers.
Recognising that our services run in endless configurations and with countless applications, we believe the best approach is to work in a collaborative and co-ordinated way with whoever discovers the flaw.
We ask the security research community to give us the opportunity to correct any vulnerabilities they may find before disclosing it, as we do when we discover breaches in other systems.
In return for people acting in good faith and following our guidelines, we promise the information disclosed to us will not be shared with others without the security researcher’s permission. We also pledge not to take legal action against people who adhere to our policies.
In fact, if a security researcher were to report a vulnerability that affects our services and infrastructure, we’d publicly give thanks, and in some cases, offer a monetary reward.
Google routinely pay out cash rewards from $100 – $20,000 to security researchers as part of their Vulnerability Reward Programme.
For decades research has shown the important role that researchers can play in keeping systems secure, and a collaborative approach is more beneficial than treating everyone with suspicion.
However, some companies have stuck to the tradition of treating security research activity as criminal.
In this article, a 16-year-old found a basic security hole, that allowed him to access the personal details of 600,000 people.
But after reporting the flaw, instead of a thank you, the researcher received a visit from the police.
In the United States Andrew Auerheimer, aka “weev”, is serving three-and-a-half years in prison for identity theft and hacking after discovering a hole in a website that allowed anyone to obtain email addresses of iPad users.
Google’s Vulnerability Reward Programme tries to prevent would-be samaritans from getting into trouble, with a clause stating they will often pay more to people who report faults early on, to prevent them digging around further.
Last year the New Zealand Internet Task Force released the first draft of the Responsible Disclosure Guidelines to provide guidance for people who discover vulnerabilities, and organisations who have the weakness. They believe clear boundaries and outlining all parties’ responsibilities will make it easier for security professionals to work together and help improve cyber security in New Zealand, something of benefit to suppliers and consumers alike.