Responsible Disclosure and Ethics Around Punkspider
What Punkspider Is
Punkspider is a simple transparency tool that identifies basic website vulnerabilities. The common exploits that Punkspider’s browser extension detects provide further evidence of our belief that basic security online must improve, and that consumers have a right to know if they are at risk when using the web. At the same time, we have acted decisively on our responsibility to ensure that such disclosures minimize potential harms by adopting a controlled, phased approach to Punkspider’s release.
Why We Built Punkspider
We want everyone to be able to answer a simple question: how dangerous is the internet I use?
Our extensive research revealed a large, but unfortunately not surprising, number of vulnerabilities across the web. As ransomware attacks continue to plague companies and consumers, vulnerable web applications play a tragic role in harvesting user information and supporting criminal enterprises. QOMPLX recognized that everyday internet users and the cyber community need a shared perspective on the specific dangers of the web.
Our Responsibility and Safeguards
We recognize our responsibility to be part of the solution to making security safer, and from the beginning have taken concrete steps to minimize opportunities for misuse by malicious actors.
Punkspider only reveals fundamental vulnerabilities.
Punkspider is being deployed in a phased and planned manner. We deliberately chose to reboot Punkspider by announcing a new web browser extension tool first, unlike the original version that provided a fully searchable database to the general public immediately. Members of the public are not able to search and harness specific exploits using Punkspider today. Notification and other safeguards currently underway will precede the public release of wider features to ensure website operators can fix issues identified during scans.
We take both legal and operational considerations very seriously and have been in ongoing consultation with stakeholders and others to determine the best way to raise awareness. Our phased approach to deploying this product was designed so that it can empower consumers with general warnings about dangerous sites and then surface additional details to website defenders in order to help create a rising tide of web security.
There is precedent for public disclosure of vulnerabilities. QOMPLX is continuing to blaze a trail on improving digital security that’s been well developed by prominent organizations over the years. For example, Google’s Project Zero was announced in 2014 and also developed their own disclosure framework and timeline to increase transparency and minimize the potential for abuse.
Our Step-By-Step Process for Responsible Disclosure
Simple Warning Tool for Consumers
We developed the Punkspider browser extension to warn regular consumers when they might encounter certain websites that could be dangerous for them. By design, the tool does not reveal the specific details a malicious actor would need to exploit the website.
Notification for Website Owners
We have a process to provide notification to organizations with detected vulnerabilities. In particular, our team specifically and personally reached out in advance to the owners and administrators of organizations that have been named publicly.
Pro-Bono Expertise to Help Fix Vulnerabilities
We will provide expert guidance and tools to organizations who wish to fix the types of basic vulnerabilities detected by Punkspider.
3rd-Party Security Resources
We will provide a list of expert, independent 3rd party security researchers with publicly available resources to fix the types of vulnerabilities detected by Punkspider.
We are collecting important data about web security so we can all get our arms around this shared problem. We're evaluating the best methods to allow access to a controlled subset of the information via a searchable database. Timing and final format for this stage is still being determined.