We now have a Responsible Disclosure Policy!
Ever since I started working for SiteGround I have been really impressed with the effort that goes into protecting the data security of the company and (ultimately) the user. There’s virtually no action taken and no line of code written that are not thought through from the security perspective first. With this level of commitment vulnerabilities in our systems are rare. However, when they appear there is no way to guarantee we’d be the first to spot them.
It is a blessing that we have a community of thousands of happy customers, including some computer security researchers among them. During the years we had several vulnerability cases reported by customers. However, so far there was no structured way to report a security issue to us. To make up for this we are now setting up a formal Responsible Disclosure Policy.
What is a responsible disclosure policy?
Typically, a responsible disclosure policy lays out the rights and responsibilities of both providers and users, regarding the reporting of bugs and vulnerabilities. The service provider agrees to acknowledge the vulnerability, fix it, and refrain from legal action against a party disclosing it responsibly, while the entity that discovered the issue agrees to keep it private until the provider has fixed the problem.
Why we need it?
Have you ever heard of another shared hosting provider that has a responsible disclosure policy? I bet you have not. Usually, shared hosts do not produce a lot of custom software. They use ready-made solutions and they rely heavily on the vendors, providing these solutions, to fix any security issues that appear.
Well, the case with SiteGround is completely different. Guided by our handmade philosophy we have heavily modified most of the software we use and we have created multiple custom software solutions. This gives us greater freedom, but also brings greater responsibility. We have always welcomed people that are willing to share any issue they have found in our systems. Launching our official responsible disclosure policy now is a way to announce publicly this approach and provide people with a clear structure.
What to do if you find a vulnerability?
If you suspect you might have discovered a vulnerability in our services, or the third-party software we use, our Responsible Disclosure Policy is your go-to place. The policy lays out the basics of how to test responsibly; what to do if you think you have discovered a bug; and how to report it. It also outlines our commitment to responding responsibly to your report – by acknowledging and fixing the vulnerability as quickly as possible.
Our promise is that if you report a legitimate vulnerability and do not wish to remain anonymous, we will mention you in the “Honor roll” and put a link to your social media profile/company website/personal blog.
We are always on the lookout to improve our services even further and we hope this step allows us to make them even more secure for our customers. As always, we would be happy to hear your comments and suggestions, regarding the Responsible Disclosure Policy or improving the security of our services in general. Please post them in the comments.