50 Shades Of Gray In Cybersecurity (Part 1)

A friend told me this weekend… “You don’t know someone until they’re angry”. This is so true. The same can apply when working with a team in an incident response scenario.

When it comes to information security, there are a lot of gray areas that can make even the most seasoned cybersecurity experts feel uncertain. For SaaS executives without security experience, these gray areas can be even more confusing. So, what are these gray areas and how can they impact your business?

Gray and Black Markets of Cybersecurity

One example is vulnerability disclosure. Let's say a security researcher discovers a vulnerability in your company's system. They have a decision to make: do they report the vulnerability to you and risk potential legal action, or do they sell the vulnerability on the black market? It's a tough call, and one that can have serious implications for your business.

As a SaaS executive, it's important to understand the potential consequences of a security researcher selling a discovered vulnerability on the black market. Not only could this result in a data breach or other security incident, it could also damage the reputation of the company and erode customer trust. Therefore, it's crucial to have a vulnerability disclosure program in place, which encourages security researchers to report any vulnerabilities they find directly to the company. This program should include clear guidelines for researchers to follow, and offer protection from legal action. By establishing a relationship of trust with the security research community, companies can increase the likelihood of vulnerabilities being reported and addressed before they can be exploited.

When Bug Bounty Goes Wrong

When a vulnerability researcher threatens to disclose a vulnerability, it is crucial to take the threat seriously and act swiftly to address the issue. One effective strategy is to establish transparent communication with the researcher and attentively listen to their concerns. This may entail asking detailed questions about the vulnerability, its possible consequences, and any known exploits that could take advantage of this vulnerability. By engaging in this constructive dialogue, it is possible to collaborate with the researcher to address the vulnerability and avoid the need for disclosure.

In instances where the researcher is uncooperative, or if the vulnerability is extremely serious, the organization may need to take additional measures to safeguard itself. This could entail enlisting legal counsel to guide the legal and ethical implications of the situation. Also, it may be necessary to establish a vulnerability disclosure program to establish a clear and formal procedure for handling future vulnerabilities.

Ultimately, the key is to prioritize transparency and communication in order to address the problem in a manner that is ethical and protects the security of the organization. This can involve keeping stakeholders informed throughout the process, providing regular updates on the vulnerability's status, and being responsive to any concerns or inquiries that may arise.

By adopting a proactive and thoughtful approach to vulnerability disclosure, organizations can mitigate the potential impact of vulnerabilities and foster trust with both researchers and customers.

💡An excellent read on the topic is Ryan McGeehan’s writeup (@magoo) of the USA v. Joseph Sullivan case.

What Can You Do?

So, what can you do as a SaaS executive to navigate these gray areas? First and foremost, prioritize integrity and transparency. Have open and honest conversations about ethics and make tough decisions that prioritize the security of your organization while still respecting the privacy and rights of your employees and customers.

It's not easy, but it's necessary. The world of information security is full of gray areas, but by prioritizing integrity and transparency, you can help your business navigate them with confidence.

This article was inspired by this Tweet, which was a response to this by the amazing Michael Girdley.

Join the conversation

or to participate.