If you are a startup, you need to add a security page to your site. Tell me how to report a security issue if I find one.
I have lately been noticing a lot of security issues especially XSS with a very basic string like >’>”><img src=x onerror=alert(1)>. With most websites, I notify them via email. Some startups are awesome and send some swags or T-shirts. Thank you.A lot of these make it clear upfront that they don’t offer bounty or swags and that is cool.
My problem is that there is no way to tell your startup that there is a security issue.I usually end up at your zen desk ticketing system where the people taking care of your customer service may not be aware of what those security issues mean.
As a startup, the following things should at least be part of your organisational process
- Create a security page and make it easy for me to report an issue.
- Acknowledge efforts of a person reporting security issue – I am not looking for a bounty. A simple thank you on your security page is good enough.
- Provide appropriate update and keep me in the loop as to what is happening with the security issue.