Open your doors to white hats before black hats blow them off, US deputy AG urges big biz

And don't forget to add in those backdoors, ta

By Shaun Nichols in San Francisco


The second-in-command at the US Department of Justice says every business should have its own program to let third-party researchers find and report bugs.

Speaking at the Cambridge Cyber Summit in Boston today, Deputy Attorney General Rod Rosenstein said bug bounty and white-hat research programs will help companies avoid large-scale network breaches and data thefts.

"Software and hardware vulnerabilities are one means by which your networks are compromised. Finding and eradicating those vulnerabilities is an important aspect of cybersecurity," Rosenstein told attendees. "All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system."

Rosenstein recommended execs and other senior staff in the audience push their companies to look into setting up their own programs where both internal and third-party security can test and report security flaws back to the company and its tech suppliers, potentially closing holes before they can be exploited by hackers.

Deputy AG Rosenstein calls for law to require encryption backdoors


He noted the DoJ already has its own guide for organizations on how to set up a bug-reporting platform. The hope, Rosenstein said, was that commercial outfits make themselves and the hardware and software they use more secure. and avoid breaches that the Feds would have to investigate.

"Many organizations find that the amount you can learn from 'crowdsourcing' your search for vulnerabilities in a controlled way is well worth it," Rosenstein said.

"The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises."

At the same time, Rosenstein also talked up the need for policies that many developers argue will make software and hardware platforms much less secure: breakable encryption. The Deputy AG doubled down on his earlier calls to give investigators backdoors to decrypt data transmissions and stored info.

"We in law enforcement have no desire to undermine encryption. But the advent of 'warrant-proof' encryption is a serious problem. It threatens to destabilize the constitutional balance between privacy and security that has existed for over two centuries," Rosenstein said.

"Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, even when officers obtain a court-authorized warrant. But that is the world that technology companies are creating."

So open your doors to white hats before hackers find a way to break in. And then put in a backdoor anyway for black hats to find. Perfect sense. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

Samsung left off Google's new official Androids-for-biz list

Five carriers make the cut, plus 32 mobile management apps - and four Chinese phone-makers

BoundHook: Microsoft downplays Windows systems exploit technique

It's just not a security vulnerability, says Redmond

Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?

No official patch for under-attack ALPC vuln – so grab these mitigations instead

Samsung's sleek 'n' sporty X5 SSD pledges blazing transfer speeds

Portable drive harnesses NVMe and Thunderbolt 3

Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

ThreadKit leverages flaw fixed in February

Android ain't done until Samsung won't run? 9.0 Pie borks Gear watch app

Waiter, there's a bug in my Pie

Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb

Coinkidink? Nah. Crooks are switching tactics

Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells

Plus: Xen admins – you need to get patching your patches, too

Fresh Microsoft Office franken-exploit flops – and you should have patched by now anyway

Updated Exploit combo fails to dodge Word warning prompts