Home > Security > Open For Review: Web Sites That Accept Security Research

Open For Review: Web Sites That Accept Security Research

February 26, 2012 Leave a comment Go to comments

So one of the core aspects of my mostly-kidding-but-no-really White Hat Hacker Flowchart is that, if the target is a web page, and it’s not running on your server, you kind of need permission to actively probe for vulnerabilities.

Luckily, there are actually a decent number of sites that provide this permission.

Paypal
Facebook
37 Signals
Salesforce
Microsoft
Google
Twitter
Mozilla
UPDATE 1:
eBay
Adobe
UPDATE 2, courtesy of Neal Poole:
Reddit (this is particularly awesome)
GitHub
UPDATE 3:
Constant Contact

One could make the argument that you can detect who in the marketplace has a crack security team, by who’s willing and able to commit the resources for an open vulnerability review policy.

Some smaller sites have also jumped on board (mostly absorbing and reiterating Salesforce’s policy — cool!):

Zeggio
Simplify, LLC
Team Unify
Skoodat
Relaso
Modus CSR
CloudNetz
UPDATE 2:
EMPTrust
Apriva

There’s some interesting implications to all of this, but for now lets just get the list out there. Feel free to post more in the comments!

Categories: Security
  1. RusAlex Pletnev (@RusAlexander)
    February 26, 2012 at 7:45 pm
    Reply

    Dan, thanks, never knew that sites accept vulnerabilities research

  2. Avram Marius
    February 27, 2012 at 8:02 am
    Reply

    hey Dan,nice article,I think that many company must do the same thing..anyway,you forgot to add on the list Adobe and Ebay

  3. Chris Kubecka
    February 27, 2012 at 9:14 am
    Reply

    I believe by allowing a bit of public testing so to speak organizations could benefit very well. A pen test is only a test but allowing real work probes of this manner with an adequate method of reporting issues can only benefit organizations. I didn’t know so many allowed such testing either, thanks!

  4. antisnatchor
    February 27, 2012 at 3:26 pm
    Reply

    Interesting “Modus CSR does not compensate people for reporting a security vulnerability, and any requests for such compensation will be considered a violation of the conditions above. In such an event, Modus CSR reserves all of its legal rights.”.

    So basically do you think I (anyone) will be interested reporting it? camon, lets be serious 😀
    At least give a symbolic amount of money, like 100$

    Whit such a policy, IMHO, it’s like they save money because people report bugs, while they don’t care to spend 50.000 pounds for a serious pentest.
    Ridiculous, IMHO.

  5. Gary Hawkins
    February 27, 2012 at 4:01 pm
    Reply

    Unfortunately even when a website owner gives you permission, if they don’t understand what they’re giving permission for they’ll still try to drop the shit on you in my experience!

    Be sure to document everything and work within the confines of what’s written down. If you gain access to any unauthorised records or data then take only what you need to validate your finding. For example if a screen shot of a DB is enough then don’t copy out the entire DB contents.

  6. Peter Maxwell
    February 27, 2012 at 4:49 pm
    Reply

    Be careful, you *must* read the terms and conditions first: I’d read Facebook’s policy a while back and it only allows *limited* testing, I would assume the remainder are the same. So for example, it may be fine to test for XSS vulnerabilities on their primary web platform but trying an exploit against their VPN setup would likely land you in rather hot water.

    It is however good that these companies are coming out in a positive stance. I didn’t realise there were so many on the list. I do know Google & Facebook offer (small) rewards for reporting certain classes of security vulnerabilities.

    Personally, I’d still be a tad nervous doing anything particularly “active” without permission and scope being defined in a legally binding document. The “do you you want me to do this”, “are you sure you want me to do this”, “are you really, really, sure” type permissions tend to cover your backside when you actually do said work and their servers start falling over.

  7. cmlh
    March 6, 2012 at 4:09 am
    Reply

    @Dan,

    I maintain a list at http://delicious.com/cmlh/Vulnerability.Disclosure and some entries that are missing from your list are http://aws.amazon.com/security/vulnerability-reporting/ and https://squareup.com/security/levels i.e. search for “Research and Disclosure”.

  8. Zachary Lym
    March 7, 2012 at 12:26 am
    Reply

    Why not pass this to the EFF and see if they can’t collude with Slashdot/Reddit/Digg get some publicity for the practice (and the companies)?

  9. Neal Poole
    March 12, 2012 at 2:59 am
    Reply

    Some more:

    http://help.github.com/responsible-disclosure/
    https://www.dropbox.com/dmca#security
    http://code.reddit.com/wiki/help/whitehat (they could really make this more prominent, it took me forever to find the link)

  1. No trackbacks yet.

Leave a comment