Disclosure – How do you deal with a white hacker claiming a security hole?

To answer any of your questions:

1. Basically, how should we proceed or should we even?

I recommend to continue. You get valuable information that can be used immediately to improve the security of your business. They did not tell us what the researcher sent you, but they either have a description of the vulnerability or methods to reproduce. To continue, you need from them:

  • A description / attack scenario of the vulnerability found. Why is this a problem? What allows an attacker to do exactly what he should not do? What is the worst case / severity of the finding?

  • Reproduction steps. What steps could you give each engineer so that he can reproduce the error each time?

  • What the hacker is looking for in return. As mentioned, it may be that permission is given to publish the determination after the correction or after the money.

  • You may or want to receive correction instructions, risk assessments, etc. from the researcher.

VERY IMPORTANT: Make it clear to the researcher that you expect the issue to be kept confidential until the problem is resolved. You can use a correction window, eg. You can publish and publish articles if the problem is not resolved within 60 days. This is common practice and should be acceptable to most companies with a strong security record.

2. What is the general expectation of a white hacker?

Depends on the researcher, but he will probably want permission to publish the result as soon as it has been fixed, as well as a financial reward. The awards are based on the overall severity and scope of the bounty program. Hackerone, a large bug bounty platform, has a matrix that suggests payouts relative to the size of the company / bounty program: https://www.hackerone.com/resources/bug-bounty-basics. Determining the payout price is a subtle art. I recommend that you search Hackerone or other bug bounty platforms for similar errors and base your payoff on what other companies are paying for the same problem.

Again, researchers' common expectation is that they can publish the finding in a given time, regardless of whether it has been remedied by then. 60 days is common, but I would not agree to a time span if you're not sure your business can deliver in this window. After the issue is resolved, the hacker wants to verify that the fix has been implemented correctly.

3. How to validate?

Use the steps the hacker gave you. They should be clear enough that every engineer can follow the steps exactly and reproduce the mistake. If there are problems here, you can return to the researcher and get some clarity. It is the responsibility of the researcher to provide the company with reproduction steps that describe and identify the error.

Once the problem is resolved, you can invite the researcher to review the fix and ensure that it has been completely patched.