Bug🐞 and vulnerability reporting is the process of identifying and reporting any issues or security vulnerabilities found in software or system. This repo helps track this within our Cyber Ecosystem in Nigeria
This is usually done by users or security researchers who have discovered a problem that could potentially harm the system or its users.
See our Security Researcher Hall of Fame
The purpose of bug and vulnerability reporting is to help developers and system administrators to identify and fix the issue to prevent further damage or exploitation. It is an important part of maintaining the security and functionality of any software or system.
There are different methods and models of bug and vulnerability reporting, depending on the nature and severity of the issue, the relationship between the reporter and the affected party, and the incentives or rewards offered for finding and reporting bugs and vulnerabilities. Some of the common methods and models are:
- Private Disclosure: The reporter discloses the bug or vulnerability privately to the affected party, and does not make it public until a fix is available or agreed upon. This model is often used by bug bounty programs, which offer rewards for finding and reporting bugs and vulnerabilities in a specific scope and under certain terms and conditions.
- Responsible or Coordinated Disclosure: The reporter discloses the bug or vulnerability privately to the affected party, but also agrees to make it public after a certain period or when a fix is available. This model is intended to balance the interests of both parties and to encourage collaboration and communication.
- Full Disclosure: The reporter discloses the bug or vulnerability publicly as soon as they find it, without notifying or coordinating with the affected party. This model is often used as a last resort, when the affected party is unresponsive, unwilling, or unable to fix the issue, or when the exploit code is already available to attackers. This model is very controversial, as it can expose users to risks and damage the reputation of the affected party
A vulnerability disclosure policy (VDP) is a set of guidelines and procedures that organisations or companies follow when receiving reports of security vulnerabilities in their software or systems. The VDP outlines the steps that the organization takes to obtain, verify, and address the reported vulnerabilities.
- A well-written VDP can encourage security researchers and users to report vulnerabilities they find, while also providing clear guidance to the organization on how to handle such reports.
- A VDP can help an organization identify and fix security issues before they can be exploited by attackers, and can also help to build trust with users and customers by demonstrating a commitment to security.
see sample VDP here. Organizations are recommended to adopt a VDP to ensure responsible disclosure across the board.
Whitehat.NG is a project pushing for Responsible Disclosure In Nigeria + Nigeria Cyberspace - ISAC + peopleCERT Nigeria. Whitehat.NG does not condone or encourage any illegal or unethical activities related to bug and vulnerability reporting. Whitehat.NG only supports private and responsible disclosure of security issues, by the applicable laws and regulations, and the best practices of the cybersecurity community. Whitehat.NG is not liable for any damages or losses caused by the actions or omissions of any bug or vulnerability reporters or affected parties.
Report NOW
You can use our form here to make your first report. Thank you for keeping Nigeria's Cyberspace a safer place.
ngCERT - Visit: https://cert.gov.ng Email: [email protected] Call: +2349055554499
NCC-CSIRT - https://csirt.ncc.gov.ng/ +234-903-985-9263
NITDA CERRT - Call: +234 817 877 4580 Email: [email protected] Web: www.cerrt.ng
We encourage organizations with Vulnerability Disclosure Policy to reach out to Whitehat.NG so we can list them here to foster a single platform for all VDPs in the country. If you don’t have you can take a cue from the sample or the one on our LinkedIn. Check for a proposed standard which allows websites to define security policies securitytxt[.]org