Bug Report: call to action!
Bug Report: call to action!
Monday 06 January 2020 Have you been there? All you really want to do, is to get your own actions and projects done before the end of the year. That's quite enough!
But the team always has some good ideas that must be picked up too ..... And then a message drops into your mailbox that you almost click away, probably spam! But, you cannot ignore this message: it is a Bug Report. Oh no! You know this cannot be ignored. You’ll have to initiate the relevant procedure, with the inevitable follow-ups and communication to the reporter. Even more important than the actions that are still on the to do list!
In December we at CIO Platform Nederland received such a bug report from Asif aka "Ultimate Haxor", a hacker. It was a comprehensive message about a vulnerability he had found and which made our website vulnerable to clickjacking. In the e-mail the "Ultimate Haxor", unknown to us, had clearly written a description and PoC and also offered two solutions to deal with this vulnerability.
In accordance with our policy, we reported the incident with our hosting provider and asked them to verify the report and, if necessary, resolve it. The report turned out to be correct. Fortunately, the fix was quite easy. Within 2 days we were able to thank the reporter and let him know that the vulnerability had been fixed. He came back with the question what the reward was for this report.
At CIO Platform Nederland, our policy is not to provide financial incentives for such Responsible Disclosure / Coordinated Vulnerability Disclosure notifications. Instead, we offered to share this experience with our members and of course say a word of thanks to Asif "Ultimate Haxor". Hereby!
Based on the principle of Sharing is Caring, we are also curious about your experience with such kind of bug reports. How current is your Coordinated vulnerability disclosure policy? How many of these notifications do you receive and does the procedure work? What if a bug cannot be solved (quickly), how does the reporter react to this message? How do you involve the reporter and how are communications with reporters handled?
At the bureau of CIO Platform Nederland we are vigilant!
More news
Kick off session CxOs in the Maritime Sector | Data in the Port Ecosystem
Friday 19 July 2024 Knowledge sharing on digitization topics relevant to the maritime sector. Meetings are organized by/in cooperation with CIO Platform Netherlands and are open to organizations wishing to share knowledge on substantive issues. CIO Platform Netherlands reserves the right to deny access to meetings. full storyA quick look back at the first six months of 2024
Friday 12 July 2024 A nice summer blog of our new board member Edward Cox, also General Manager Louwman Group Services. Have a nice summer! full storyAnnual Day 2024 - Aftermovie
Monday 08 July 2024 A record number of CIO Platform Nederland members gathered on June 6th to celebrate our community's valuable and sociable Annual Day together under the banner 'Elevate your Digital Transformation'. Watch the aftermovie here. full storyResearch on labour market shortages, help us reach 100 and help yourself!
Monday 24 June 2024 The shortage of qualified ICT talent is a brake on growth for many organisations. Together with other organisations, we are committed to tackling this challenge. We would like to ask for the help of our members by filling out a survey. full story