Another Sucuri “responsible disclosure” postmortem
James Giroux manages operations at PageLines. Last week, they were notified of a vulnerability by Sucuri, and he went through the rigmarole most of us are familiar with of juggling responsible disclosure and implementing a fix.
James did a postmortem on his blog today:
At the end of the day, this is a success. We were able to get the vulnerability patched really quickly. However, the way in which it was announced and the lack of communication from the Sucuri team made this extremely frustrating for the team at PageLines. This is not the first time Sucuri has been caught in the middle of a situation like this and I think that as they continue to become more aggressive at auditing software, they will need to reevaluate their way of handling these types of issues or they will end up scaring away more potential partners then they gain.
I think James’ advice is pretty good. Read his full version, but the short version is this:
- Don’t have your vulnerability technicians do communications.
- Have a landing page that outlines the process/timeline from start to finish.
- If a company is willing, be a partner.
- Don’t post so quickly.
Sucuri has to balance their own business incentives with responsible disclosure, with not burning bridges with the companies they cover. I think James makes good points.
Read also: Sucuri’s disclosure, and PageLines official post.