Dozens of America's largest companies have no simple way to report security flaws
If you found a security bug or vulnerability at a top American company, there's a good chance that you will have no easy way of alerting them.
This is because around one-third of the largest companies in the United States have no apparent way to notify them about security issues, such as through a dedicated email address or bug bounty program, according to a new analysis of the top 100 companies by revenue and their websites by this week in security.
Some of these companies, like Cencora, Charter, and Home Depot, have experienced major security incidents in the past but still have not opened their virtual doors to outside reports.
I previously wrote about why it's critical for companies and organizations to make it easier for people to report bugs. Security researchers and regular consumers alike find issues all the time, from the highly complex flaws to the dead-simple data exposures. People who care about brands want to help them succeed, but often find no way to escalate a potential issue.
A company that lets people contact them through a dedicated security channel, like an email address, a web form, or a more formalized vulnerability disclosure or bug bounty program, can make the difference between resolving a security issue before it can be exploited, or knowing nothing and having to mop up after a malicious cyberattack.
An open door is all the more important because of the fear of repercussions and legal risks that comes with security research and reporting security issues. All too often, companies invoke their attorneys out of fear of damage to the company's reputation or outright ignorance. Having a way to let people report flaws sends a message to the outside world that the company is willing to be helped, rather than ready to sue someone into silence.
There are easy, commonly used, and industry standard ways that companies can achieve this. These options range from the very simple, like adding a security.txt text file in a well-known location on a company's domain that contains the best email address for researchers to contact, all the way through to formal vulnerability disclosure programs and bug bounties that compensate people for their findings.
This week, I analyzed the main websites and core platforms and services of the top 100 largest American companies, known as the Fortune 100. I looked for security contact information, such as security.txt files and mentions of any vulnerability or security disclosure programs on their websites. This process included manually scanning the websites of tech and phone giants, retail conglomerates, healthcare and insurance companies, banks, financiers, carmakers, and more.
The results are, in my view, not great! This is what I found:
Almost three-quarters (73%) of the Fortune 100 have no security.txt file on their website. This file is one of the first things that an outside researcher will look for on a company's website to immediately find their contact information. This means 73 companies have no easy-to-find security contact information for someone to report a security flaw.
That said, 65% of the Fortune 100 do have some form of vulnerability or coordinated disclosure policy, or bug bounty program. This suggests that there is willingness among many of the top companies to receive security reports from people; it's just not always as immediately obvious how to find these company pages to begin with. Much of my discovery relied on searching for "company name" + "vulnerability disclosure" or similar language in search engines.
However, around half (47%) of the bug bounties offered by these companies do not financially reward outsiders for their submissions, despite being run by some of the most revenue-driving companies in the United States.
Most of the tech companies, such as Amazon, Apple, Google, Microsoft, and Uber, compensate security researchers for their bug reports, but outliers include Cisco, Nvidia, HP, and Oracle, which do not pay security researchers for their work.
In total, around one-third (30%) of the Fortune 100 have no obvious or clear way to report a security issue at all, or make it clear where to report security issues.
~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.
Or, you can submit a one-time tip to show your support!
My observations from this analysis is that companies should still make it easier for people to reach out to them. The optics are important and it sends a signal that a company cares. The information could be helpful, and could help spare a company — and its users' data — from a cybersecurity disaster.
I've reported on countless breaches in the past in my career as a cyber reporter. And I can tell you how frustrating it is scrambling around trying to find (or guess) the email address of a company's CEO to notify them of an ongoing security lapse, only to get nothing back — or correspondence from their lawyers.
But the wealthiest companies in America certainly have no excuses. They have more money, power, and resources than some countries. Good-faith researchers and customers alike shouldn't have to traverse every circle of Hell just to do a company a favor.
Shoutout to EdOverflow, who is behind the security.txt project and suggested that I check out findsecuritycontacts.com; and Casey Ellis who helps to run disclose.io, both of which have granular lists to search for security contact information and more. These projects are great, so bookmark them for when you need them. Also, Katie Moussouris who runs consultancy Luta Security keeps a regular blog with tons of information about why bug bounties and vulnerability disclosure programs can benefit you and others.
I have included the raw data below for all paid subscribers to peruse. Yes, this took some time to figure out. No, AI wasn't used at all. Please let me know if you see any errors or corrections needed, as humans make mistakes, too.
