Your organization has just received a report from an independent security researcher, who claims to have discovered a vulnerability in one of your web applications. The researcher has provided detailed steps to reproduce the issue. What is the most appropriate initial response to this situation that aligns with responsible disclosure practices?
Immediately offer a reward to the researcher for finding the vulnerability.
Publicly thank the researcher on social media platforms to proactively manage public relations.
Ignore the report as it has not been verified by your internal security team yet.
Acknowledge receipt of the report and assure the researcher that their findings are being investigated.
The correct response to a reported vulnerability by a security researcher is to acknowledge receipt of the report. This leads to establishing a communication channel with the researcher which is a best practice in responsible disclosure programs. It also ensures the researcher that the report has been received and will be looked into, potentially preventing them from publicly disclosing the vulnerability before it's remediated. It's important not to ignore the report, as that can lead to the researcher becoming frustrated and possibly deciding to disclose the vulnerability to the public, which could put the company at risk. Publicly thanking the researcher before verifying the report might give the issue more limelight than necessary, potentially even before understanding the full implications. Offering a reward immediately may not be the best step if the organization does not have a bounty program in place or the claim has not yet been verified.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are responsible disclosure practices?
Open an interactive chat with Bash
What should organizations do after acknowledging a vulnerability report?
Open an interactive chat with Bash
What steps can organizations take to incentivize responsible disclosure without offering immediate rewards?