How Do You Report A Security Hole?
from the difficulties dept
A SecurityFocus article about how Guess (the fashion company) had a security hole in their server that let people access their customers’ credit card records. As they say, this “credit cards exposed” story is quickly becoming the “dog bites man” story of the internet. A different one appears every few days. The interesting part of this story was how the guy who discovered the hole couldn’t get to the right person at Guess to fix the hole. He sent emails that were ignored. He called and was transferred around and dumped off into voicemail. There isn’t a standard person or method for contacting companies about security holes, and some people are suggesting that maybe their should be. Instead, what usually seems to happen is that after a few useless attempts, whoever found the hole ends up going public to the media – and then no one is happy.
Comments on “How Do You Report A Security Hole?”
You get more results with a kind word and a 2x4...
than with a kind word alone.
Companies who don’t have some way of reporting security breaches should have their problems aired in public. Even M$ had security holes into their network and the one who found them months back had notified them only to still have them around until recently.
Sometimes embarressment can be an excellent motivator (along with depressed stock prices, a pink slip, or 2×4)…