Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Being vulnerable Neil Sanson
9 December 2015

Vulnerability image

Being vulnerable is not comfortable. And having a stranger tell you that you are vulnerable, in a way you had not even thought of, can be scary. But when it comes to vulnerabilities in the website you are looking after, a panic response is not helpful.

It is very hard, for even the best web developers, to make a website that does not have any vulnerabilities. Hackers keep coming up with new approaches, so a website that was thought to be secure when it was developed may become insecure when a new approach to hacking is developed.

Some of the people who attack websites have criminal intentions. But there are also people who will try to hack a website out of sheer curiosity, or for the intellectual challenge. If they find a vulnerability, the best outcome for you is that they tell you about it, so you can fix it.

But often they do not know who to tell, and might be worried the website owner would try and punish them for their actions. Such incidents have occurred in New Zealand, for example, the Ecan bus fare card case in 2013.

NZITF policy

To take the fear out of the situation, the New Zealand Internet Task Force (NZITF) has decided to encourage the adoption of responsible disclosure policies. NZITF members are the technically-minded people who help keep the Internet infrastructure in New Zealand safe. The idea of responsible disclosure has been around for a number of years, under various names including ‘coordinated disclosure’ or ‘responsible security disclosure’.

Our policy

We think this is a sound approach, and have recently published our own Vulnerability Disclosure Policy. The idea is to assure anyone who notices a problem with our website that they can tell us without any likelihood of recrimination. We care about getting the security of our website right and we will listen. The policy also makes us publicly accountable that we will fix any such problems, because we accept that the person who found the problem can publish information about it.

We are not alone in thinking that being open to feedback is preferable to being defensive and hostile. Internationally, some large companies such as Google have equivalent policies. Other agencies in New Zealand that have published similar policies include the Domain Name Commission, New Zealand Registry Services, Signify and Sky.

For help in adopting a vulnerability disclosure policy for your organisation, I suggest you read the NZITF’s guidance on the subject.

Image credit: SDASM Archives via Creative Commons




No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.