In this era where we have a mobile application and a website for everyone even with more software engineers; data leaks or security issues are a common phenomenon. This document will hopefully help anyone who finds leaks report them ethically without causing too much harm.
First things first
- Does this affect more than one person ?
- Does reporting this damage lives in a long term and is the damage irrevocable ?eg : The leak of health records of HIV Patients from a pathology lab or a hospital could affect the people involved by marking them for their entire life. This information coupled with social stigma could affect their prospects of a healthy life or their professional lives
- How long will it take for the organisation to close the leak ?
- In case there is no clear tangible impact, could this have an impact in combination with other public data?
- Do I have support by which we mean :
- Financial to support me in case of consequences
- Personal networks to support me
- Legal Support Systems
- Who else is at risk if i am in trouble
- What are the chances that the organisation you are reporting against will act to prosecute you
- Do I have the mental ability / support to handle the stress for the period of time
- Do I have the technological support to help me protect myself and my loved ones
Effectively document your finding
Documenting your story
When you chance upon a leak and confirm it by double checking. It is highly recommended to make elaborate notes on how you discovered the leak. This documentation should be done as soon as possible if possible right after you are confident of it as a leak. The reason being this is going to be something various stakeholder will be asking you repeatedly and having as many accurate details will help support your case. You can use secure note taking platforms like etherpad / riseup pad to protect your privacy if you making notes online. It is recommended that you store this offline in an encrypted format. Also take screenshots with time stamps ( this could be a double edged sword too if you are liable to prosecution because of the leak)
Documenting the Bug
An elaborate documentation of the leak itself helps in getting it fixed faster. Engineers always find it useful to have more information.
- Include steps to show how to replicate your bug , talk about pre conditions eg : it could be accessing a particular page with a particular browser / accessing it with a certain phone
- Include screenshots if possible.
Effective process to share your findings
Reaching out to concerned officials / Organisations
The right way to report a leak would be to reach out the organisation of the leak and write to them about your findings before you go public with a leak ( offcourse this has consequences we certainly dont recommend this for Snowden or Manning type leaks assessing you risk is very important before you do this ). This can be done in many ways
- Bug Bounty Programs : Most technology orgs have a bug bounty program and also sometimes offer rewards for reporting of leaks this is the easiest and the most rewarding way to reach out to orgs.
- Organisation Public Issue trackers : Some open organisation do not have a bug bounty programs but have public bug repositories this is either linked to their code repos or to their websites. This is another way to report any security leaks.
- Community Outreach Co-ordinators : In the absence of a bug bounty programs or Issue trackers some organisation have Outreach Coordinators and they are developer and business liaisons for a organisation. For any critical leak it is highly advisable to talk to them to report bugs this will ensure the closure of leaks with minimal lead time
- Public / Private mail ids : While some prefer anonymous reporting , sometimes personal reporting helps build confidence and obtains quick results. If you wish to stay anonymous it might be best to report to the public email ids available on the website. On the other hand if you have a certain degree of confidence on the intent of an organisation. It might be best to use your personal network to reach out to them and talk them through it
In case of leaks of the government websites : Every country has a specific process to report leaks on government websites. In India specifically CERT India is responsible for the security of government websites and it is best to report to them. The other organizations one can reach out to are
- CERT India
- Government Body that it is affected
Talking about the Security Issue in Public
While it is very easy to talk about a security issue in public . It is also considered a honor by many and sometime a necessity to report. We recommend the following actions if you plan to do so
As a general rule avoid talking about a leak or a issue before it has been fixed
Initiating the removal of sensitive data
Make sure atleast the sensitive data is removed before you share a issue if you cant get the complete issue fixed. By Sensitive Data we mean Personally Identifiable Information. It is also recommended that you clean the data for secondary Identifiers ( these are identifiers when coupled with other information can still make data personally identifiable). If you are not sure of identifiers we recommend that you talk to organisations which have been working on Open Data for a while ( below is a list of some organisations)
Building a campaign
While sporadic tweeting or sharing help sometime . It is always recommended that you build a plan to talk about the leak.
- Decide on your objectives for sharing the leak what would like to achieve .
- Identify people who are working in this field and could help you amplify your voice.
- Talk in as much accuracy of the effects of the leak and its origin
- It might be best to leave out details of reproduction of the leak if you think it could harm more people
Sometimes using screen shots not amplifies your report and its impact. We recommend using it as opposed to share the methodology of replication in public. Though one has to be cautious while sharing screenshots make sure you block any personally Identifiable information or information that could cause damage to lives or property.
Talking to Press
Before talking to the press please be clear of your intentions to do so. Again we recommend this only after the issues have been fixed. But sometimes it is important that you talk in your help to close the issues and we understand that. So we have put together a set of things that would make this conversation ethical and effective
- Make sure to disclose you intent of reporting leaks
- Disclose any funding you have received to do this work
- Avoid sharing in detailed description of the leak in case it has not been closed yet
- Make sure to not share sensitive data either through your screenshots or through data
List of organizations to ask for support
Online Security and Whistle Blower Protection
- AccessNow Helpline
- Local Cryptoparty ( InfoSec )
- Frontline Defenders
- Security Without Borders
Open Data Questions
Legal Support ( India )
Security Methodology and Advice
- CERT-IN Brochure http://www.cert-in.org.in/Downloader?pageid=2&type=2&fileName=BRO-2011-0101.pdf
- Information technology Act 2000 http://www.dot.gov.in/sites/default/files/itbill2000_0.pdf
- Responsible Disclosure Guideline by The National Cyber Security Centre (NCSC), Government of Netherlands
This guide was written by Chinmayi S K with contributions and feedback from Thejesh GN , Chris Kubeca , Amber Sinha and Nisha Thompson
This post is released under the Creative Commons Share Alike 4.0 License
If you have any feedback or comments please feel free to write to us through this contact form and we will get back to you asap