StreamSets recently posted a “Responsible Disclosure” policy to the company website. That policy reads:
StreamSets is committed to the security of its services and the protection of its customers’ systems and data. In that effort, we would like to make the process of suggesting improvements or reporting possible vulnerabilities as easy as possible. If you believe you’ve found a security vulnerability, please send it to us by emailing firstname.lastname@example.org. Please include the following details in your correspondence:
A description of how the bug or vulnerability was discovered to aid in reproducing the occurrence;
- Any screenshots or other evidence seen;
- How and when to most conveniently reach you, should we have any questions.
- Please make a good faith effort to avoid privacy violations or any disruption of StreamSets services.
We will endeavor to respond to your report within 5 business days. We welcome your assistance in making StreamSets a more secure service and appreciate your good faith efforts to contribute to our efforts.
Such a policy says, “If you find some bug or other vulnerability in our services (and please look around carefully!), please let us know, and we’ll work with you to address it.” We want to avoid unintended damage (e.g., finding a bug and testing it to see… yep, that blew up!) or us mistaking you for a malicious hacker.
With a B2C (business-to-consumer) service, like Yelp, or Zillow, the company’s own website is its service platform: you come to Yelp to read reviews on the site or to submit your own, so how the corporate website works is one and the same with its service. For services like those StreamSets offers, the customer gets services apart from the corporate website. Visitors to StreamSets.com are seeing our marketing material, information on how to buy and use the service, etc.
While it’s still important to keep the company website secure (e.g., to avoid exposing information on customers or prospects collected by our Marketing department), that’s a rather different concern from securing the various services that a data engineer will interact with and use to manage data pipelines. As such, our services are less accessible to the casual security professional hunting for bugs on the web.
Some companies run either their own or third-party “bug bounty” programs, where security investigators can be paid for uncovering bugs. Such programs complement the work that the company may do with its own internal information security teams or through third-party or customer penetration test teams. StreamSets does not currently run a bug bounty program, but is open to collaborating with those who might discover vulnerabilities.