This is cache of http://feeds.feedburner.com/~r/SecurityRetentive/~3/157304493/why-dont-financial-institutions-have.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Why Don't Financial Institutions Have Vulnerability Reporting Policies Online?
2007-09-16 12:36:00 by Security Retentive in Security Retentive
 
You may remember I did a bit on vulnerability reporting policies a little while ago. I was interested in crafting a vulnerability disclosure policy that was responsible both for the company posting it, security researchers, but also took into account the liability issues surrounding security researchers testing web applications.

In my previous piece I pulled together a quick summary of the public-facing security reporting policies (or lack thereof) for a number of big sites on the web. Recently I started doing the same for financial institutions. I tried finding disclosure policies online for major financial institutions such as Citibank, Wells Fargo, Washington Mutual, Chase, Fidelity, etc. I was unable to find a externally accessible security reporting/disclosure policy for any of the major financial institutions I looked at.

Why is that?
  • Fear that a disclosure policy makes it look like they could have a security issue?
  • Worried about too many people contacting them about bogus issues?
  • They don't want to be the first to publish one?
I'm not suggesting that everyone ought to follow the RSPolicy but maybe they ought to have something online rather than nothing?
 
Tags: financial institutions, online, vulnerability disclosure policy, disclosure policy, policies, vulnerability, security, security researchers, major financial institutions
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia