Recently Cloudflare and LastPass were faced with an inconvenient truth. Flaws had been identified in their systems and personal data that’s supposed to be private was open to the world.
Cloudflare’s issue was a parser bug that caused private, proprietary information like HTTP cookies, authentication tokens, HTTP post bodies and other sensitive data to be cached by Google and other search engines.
LastPass’ issue was a client-side vulnerability in the company’s browser extension that could be exploited to steal data and manipulate the plug-in if the user was navigated to a questionable website.
Both issues were found by Tavis Ormandy, a vulnerability researcher for Google’s Project Zero. Ormandy reached out to both companies via Twitter (https://twitter.com/taviso).
What matters here isn’t the instances of bad code Ormandy found, it’s how the two companies handled themselves in response to his discovery. Both Cloudflare and LastPass took control of the situation and, within hours of being notified, rectified the issue and publicly acknowledged something had been wrong.
John Graham-Cumming, Cloudflare’s Chief Technology Officer wrote the initial Cloudflare response that was posted on their blog (https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/)
In a recent email to Security7 Networks Graham-Cumming said the company has a plan in place to deal with incidents like this when they come up and that they’ve got a dedicated InfoSec team that’s ready to respond to all manner of problems.
“They were able to pull together the right team to deal with this problem within minutes,” he said.
Lauren Van Dam, the Public Relations Manager LogMeIn, LastPass’ parent company said they did something similar and that the organization was happy to work with Ormandy after he notified them of the flaw.
“We actively collaborated with Tavis to understand his report completely and accelerate the fix. As we developed fixes, we worked with him directly to verify that our fixes were comprehensive,” Van Dam said. “As we’ve said before, we greatly value the work that Tavis, Project Zero, and other white-hat researchers provide. “We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention,” she said.
But fixing the problem isn’t just reworking a bad instance of code, it’s about taking the time to acknowledge the problem publicly and owning it completely, front to back. Bringing that level of transparency to the situation helps the company’s reputation.
“Transparency builds trust. And transparency takes many forms: opening up code, talking about how we solved problems, talking about how and why we failed, talking about security problems,” Graham-Cumming said. “Humans are really good at spotting BS, and none of us want Cloudflare to be the sort of company the wraps its communication in a cloak of corporate double speak. It’s just not our culture (both internal and external).”
Van Dam agreed.
“As a password management service, security is and always will be our top priority,” she said. “This is why we believe being transparent with our users and community is essential. While, like all software, bugs are an inevitability, we can minimize their impact by implementing best practices and going above-and-beyond leading industry standards - and revisiting them regularly.”
Graham-Cummings added that in today’s world trust can be in short supply and people are prone to disbelief.
“People can spot lies and obfuscation. If we’re economical with the truth it’ll hurt us long term because ultimately our customers are trusting us with their web sites and their data flow and they have to trust us,” Graham-Cumming said. “After the Cloudbleed bug I spoke to many customers personally to talk to them about it. Many other senior people in Cloudflare did the same thing. Doing so gave the customer a chance to ask us questions directly and for themselves to gauge how trustworthy we are.
“I think some companies attempt to control situations with cleverly worded press releases, or by running every public statement via their lawyers,” he said. “Control is an illusion. All you really have is the trust of your customers and the larger community. I don’t think we’ve seen any backlash for being open and honest in public.”
Ultimately, what all this boils down to is transparency lends itself to improved credibility. It’s a credibility currency. The more honest and straightforward you are, the more spend and purchase power you’ve got when it comes to keeping your customers happy and your business trustworthy.
Cloudflare and LastPass deserve a round of applause for how they handled themselves earlier this year. It’s why we use them and it’s why we’ll continue to use their services AND trust them well into the future.
If you want a demo or proof of concept, please fill out the form below: