Tuesday, 8 January 2013

Anonymous Vulnerability Reporting Service

Is there an Anonymous Vulnerability Reporting Service out there?

Basically one where it is possible to report a vulnerability on a website without worrying about the other side throwing a tantrum and accusing the messenger with 'malicious hacking'?

It is a sad state of our industry that this is needed, but with the current computer criminal laws making all internet users a potential criminal, it is too risky to put a carrer in a the hands of the company that created the vulnerable product or service.

Ideally this service would allow:

  • Anonymous reporting of a vulnerability in XYZ product or website (in a way that it is not possible to trace back the entity/person who reported the vulnerability)
  • Data encryption so that only the target company/owner could see the information
  • Two way communication channel between both parties
  • All details published after the vulnerability is fixed (with maybe sometime made available for patching)
All data should be stored in Git repo so that there is data integrity (with maybe an unique identified being added so that the entity reporting the vulnerability could (if desired) clame authorship of the discovery).

Btw: If you think that there should be no anonymity on the internet, read the Hacking the Future, Privacy, Identiy and Anonymity on the Web