Last updated: 
2 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Dutch national responsible disclosure guidelines

Monday, June 23, 2014 - 22:55

From personal experience many years ago I know the frustration of discovering a security vulnerability in a website, wanting to warn the site owners, but being unable to find a responsive contact to accept the information. However I also know, from even longer ago, what it's like to be a sysadmin told by a stranger that my precious computer has a bug in it that I urgently need to fix. They no doubt thought they were helping me, but it was awfully tempting to shoot the messenger! I was therefore particularly interested in a presentation of the Netherlands' national Responsible Disclosure Guidelines, which try to help both sides in this discussion by establishing some basic ground rules likely to lead to an outcome that benefits both parties.

Having spoken to a wide range of vulnerability researchers, organisations, lawyers, journalists and law enforcement agencies, the Guidelines' authors identified the key points as establishing and maintaining effective communications, and ensuring that the expectations of both parties are aligned. Thus by adopting the Guidelines, organisations agree that they will act on reports of security issues in a timely fashion (letting the reporter know if normal timescales need to be extended), reporters agree that they will do no more than is needed to identify and accurately describe the problem. Reporters shouldn’t feel they need to actually exploit a system in order to provide "proof" before they will be believed. Organisations need to provide and advertise points of contact - helpdesks and telephone switchboards probably aren't good places to have these discussions - and neither side should use threats, whether of arrest or blackmail, as part of their negotiating strategy. Organisations are, after all, being offered a very cost-effective penetration test; many reporters will be satisfied to know that they have improved security and delighted to be offered a T-shirt, trophy or site visit (all have been used as rewards by organisations participating in the Dutch scheme) as a thank you.

The proof of any such scheme is in take-up – I was reminded over Twitter of a long-expired attempt to develop a responsible disclosure RFC. The Dutch scheme seems to be doing well on this measure, with a much wider range of organisations than expected participating - some developing new internal structures and systems to implement the Guidelines - and even examples of journalists following the process rather than immediately publishing when they receive tip-offs from vulnerability finders who wish to remain anonymous.