Our experience with Responsible Disclosure after 3 months

On November 28th we posted a blog about our ongoing security plan with Zerocopter. Last month we visited their offices in Amsterdam and we can recommend any online platform, app or service to chat with them about finding any vulnerabilities and getting them fixed.

Let’s review and see what Responsible Disclosure brought us thus far.

An eye on the stats

Stats, oh the stats! Measuring is knowing, so we kept score. Or better yet, Zerocopter kept score. We just fixed the reports that came in. From minor glitches to some more pressing matters, any fix we do adds to a safer and smoother platform.

After three months we have a total of 34 resolved reports, by 15 active researchers looking at our platform with 5 still open and in-review — to be fixed. It may seem a lot, 34 reports within the timeframe. It is. It just goes to show how fast and at how many levels you could run into trouble as a platform if you’re not on top of things. Of course, nothing is air-tight. Even with so many reports resolved, as with anything, the real danger isn’t in the quantity of the reports — but with the severity of a vulnerability within a report.

Reports decrease, severity increases

Even after resolving quite a bit of reports, that doesn’t mean we can let our guard down. The more you solve, the better. It also means that whatever is found next, could be an incredibly severe vulnerability and could really hurt us and our users. So when the amount of reports decrease, severity of the reports that are submitted may increase.

Overall we’re very happy with the reports that were submitted, granted — some of the reports are just guesses or researchers grasping at straws. You can imagine some edge-case scenarios that don’t require our immediate attention, but are still fixed. Because it would be silly to leave even the slightest possiblity of a breach unattended.

In some cases you receive reports that don’t require any fixing, you spend time discussing something that isn’t an issue. That can be frustrating. That’s something we have to deal with and have a solution for in the works. We’re still easing into getting everything as efficient as possible and every hour that we can shave of not discussing non-issues would be great. Luckily Zerocopter offers a way to let them take-over any triage necessary. Regardless, having a Responsible Disclosure is worth every penny and every drop of sweat that goes into it.

Continuing the program, obviously

As we grow and more code is introduced every single day, we have to assume there will be bugs 🐛 — it would be naive and silly to think we could write bug-free code. There’s no such thing. Having a lot of extra eyes on our code, scanning for vulnerabilities and keeping us in check is a real life-saver. It also changes the way we think about writing code, how the platform should react or feel, what to look for ourselves and putting ourselves in the shoes of hackers. Look at our platform from a different perspective. How to combat certain attacks, without compromising on performance and user-experience. It’s a constant conflict of interest, because you want the best user-experience ánd the best security, anti-fraud and so on. You have to balance it all out, but that’s half the fun.

An extra layer of protection with Bitsensor

Besides our Bug Bounty & Responsible Disclosure program with Zerocopter we’ve implemented the revolutionary software services of BitSensor.

BitSensor is a Dutch company run by some of the best and brightest ethical hackers the world has to offer. Combined with Zerocopter and the constantly improving measures we take ourselves it’s our belief that we’re on the right track with our level of security.

We’ll always keep exploring. Join the fun at nocks.com!