Introducing my new Vulnerability Disclosure Policy

Just a quick one this week - as it’s almost the end of the weekend and I still have a ton of things to do!

This week, I’ve introduced my new Vulnerability Disclosure Policy. Basically - I privately tell organisations about security vulnerabilities on their websites, then I wait a minimum of 60 days (for them to fix it) before publicly disclosing information about the vulnerabilities, whether they’ve been fixed or not.

This might seem a little hardcore, but I feel it’s neccessary to start doing this. Often, I’m ignored by organisations who don’t feel things such as using a HTTPS connection for usernames and passwords is important. I bet their customers, when they understand the implications of this, WILL mind!

Disclosing publicly often gets these issues looked at, because customers will start asking questions. Simple as that. So, I’ve put my Vulnerability Disclosure Policy on this website and next week will start public disclosures. Watch this space!

Written on February 26, 2017