Filipino cybersecurity professionals reiterate their call for companies and government agencies to have a functional Vulnerability Disclosure Program or VDP. Read on to know why.
Personal information of people who accomplished the "Coronavirus Self Declaration Form" for the COVID-19 vaccination program of the Municipality of Pulilan in Bulacan could be accessed publicly using a 20-year-old vulnerability. Information includes complete name, address, phone number, birthday, email, and pre-existing condition.
A hacker who calls himself Neuchi informed MB Technews about the incident because, according to him, "it seems that the site owners do not care, we informed them about the issue last week, and until now, the site is still vulnerable." Neuchi is a member of the Philippine Hacking University (PHU) hacking group. Members of the PHU regularly hunt for vulnerable Philippine government sites and educational institutions to hone their skills in information security. Members of the group are advised by their leaders not to deface sites but instead contact the site administrators and inform them about the vulnerability to secure the sites. PHU members also told the Department of Information and Communications Technology and the National Privacy Commission about the incident, but "there's no reply yet as of this posting from these agencies," said Neuchi.
Because of this incident, Filipino cybersecurity professionals reiterate their call for companies and government agencies to have a functional Vulnerability Disclosure Program or VDP. Here in the Philippines, when whitehat hackers and IT professionals discover vulnerabilities on a website or server, it's almost certain that they would not find someone where they could send the report. With the rate whitehat and other cybersecurity enthusiasts find vulnerabilities in our government servers, it is crucial to have a channel to report them.
Bugcrowd, a crowdsourced security platform, likens VDP to neighborhood watch: "A neighborhood watch encourages people to report something if they see suspicious activity. Using this analogy: if you saw your neighbor's front door open, you would probably want to let them know about it. But if you didn't already have your neighbor's contact information, how would you let them know? Or if you left a note, how will you know if they received the message? Vulnerability disclosure programs provide a way to report potential security risks to your neighbors in a formalized and consistent way and provide a channel for the reporter to know that you got the message. Now let's think about this in terms of your internet-facing assets."(https://www.bugcrowd.com/blog/whats-a-vulnerability-disclosure-program/)
When whitehats report vulnerabilities here in the Philippines, they would be put under scrutiny by the legal department of the owner of the vulnerable system, often threatening them with a lawsuit for finding those vulnerabilities.
AJ Dumanhug, Co-founder of Secuna, a cybersecurity company, said: "In the Philippines, cybercrime activities related to defacements and security breaches are continuously increasing. So think which one is more doable for this issue? Reduce cybercrime by getting rid of adversaries or getting rid of vulnerabilities with the help of VDP?" The Office of the Solicitor General, for example, instead of fixing the vulnerable system immediately, issued a statement first that they would go after those who informed (hack) them of the weakness in their servers. The National Bureau of Investigation also issued a statement saying that the agency will get the government hackers after denying that government databases are for sale online. "Even if the government could arrest the hackers, but the agencies fail to fix the problem, nothing would happen. Other hackers would hack the systems", Dumanhug added.
The Philippine Hacking University group said that they would continue to hunt for vulnerabilities in government servers and inform the owners if they could find one. They also told MB Technews about two more government sites that are vulnerable. But while there is no functional vulnerability disclosure program, these white hats would be in danger of being arrested.
AJ Dumanhug gives this advice to government agencies and private companies: "In cybersecurity, when a cybercriminal discovers your security weakness, you lose. When friendly hackers do, you win. In cybersecurity, a single vulnerability you are unaware of is a serious risk. If a friendly hacker reported a vulnerability to you through VDP, it becomes an opportunity. An opportunity to secure and improve your application, reduce the potential breach, and boost your company's reputation."