• Back

Blog

Punkspider is Pioneering Responsible Disclosure at Internet Scale

Punkspider’s focus is on consumer protection and safety. At QOMPLX, we’ve instituted a robust process to phase-in the reboot of Punkspider in a thoughtful, responsible, and effective way.  We are improving basic web security for everyone while also considering Punkspider’s overall impact on site owners and operators, security researchers, policy makers, and most importantly the average consumer navigating the Internet.

In practice, that means we exercise a methodical approach to responsible identification and disclosure of vulnerabilities that can negatively impact consumer safety on the web. We provide tools for website owners, operators, and outside stakeholders. And we deploy safeguards to understand how Punkspider is being used and combat potential for misuse of this powerful technology and resulting datasets.

Punkspider scans and identifies website vulnerabilities and compiles information to improve security on the web. Specifically, Punkspider scans for vulnerabilities that are relatively easy to check for and have long been known to be issues that continue to plague the web even though best practices for their mitigation have been well-known and expected to be implemented for years.

Our scans interact with websites just like real users, employing the same kinds of interactions that websites were designed for with simple queries and user emulation. Hundreds of household-name enterprise companies employ similar methods to gather basic information from around the web for consumers, from travel booking sites to shopping for the best deals around the web on clothes or cars. Punkspider scans do not damage websites and we don’t collect or retain personal information. Punkspider’s innovative technology automates the process of identifying common web vulnerabilities at scale, and provides consumers with a free and user-friendly browser extension to help them know when they are visiting vulnerable sites. We think consumers have a right to know if sites they are on are dangerous, so they can better choose their online counterparties.

Responsible disclosure enables consumers to vote with their feet - making informed decisions about what parts of the Internet to frequent thanks to access to more information about potentially dangerous sites. We alert security teams so they can fix vulnerabilities quickly - saving time and money from manual solutions and expensive consultants currently used to infrequently identify such problems.

It’s common practice to set a public disclosure date to encourage vendors to apply a patch in a timely manner. Google’s Project Zero, for example, sets a 90 day disclosure timeline or a 7 day timeline for vulnerabilities that are actively being exploited regardless of when the bug is fixed.

With typical responsible disclosure, researchers discover a bug and then engage directly with the vendor or entity before publicly disclosing the details. This gives the affected party an opportunity to fix the issue prior to the general public knowing about it. Responsible disclosure is typically a time consuming process and vendor responses vary widely from appreciation to anger to worse, simply ignoring the disclosing entity altogether.

The challenge here is performing responsible disclosure for Punkspider findings at Internet scale. On the first run of the top 1 million most frequented sites on the internet, Punkspider found tens of thousands of vulnerabilities! Conducting typical responsible disclosure across thousands of entities is an enormous undertaking and to our knowledge has not been done before at this scale. When we decided to bring back Punkspider we simultaneously reimagined the best approach to gradual and responsible disclosure of our findings. Our multi-channel solution to increase visibility is detailed below.

We also continually re-evaluate our disclosure policy and legal requirements and welcome any constructive feedback or recommendations from the broader community. From the very beginning, we’ve been consulting with leading security and legal experts and organizations to make iterative improvements driven by on-the-ground feedback and our findings and observations. We’ve met with digital advocacy organizations, engaged in lengthy legal consultations with outside attorneys, and shaped our responsible disclosure and phased product rollout approach accordingly.

As an organization, we take seriously the legal and ethical concerns and are committed to using this product to appropriately and practically reduce malicious cyber activity. We are committed to responsibly identifying vulnerabilities without undermining either of these important values.

The table below outlines the ways we disclose vulnerabilities discovered by Punkspider

Method

Description

Browser Extension

The Punkspider browser extension is currently available in the Chrome store. After installing the extension every site a user visits will be checked against the Punkspider database. If a vulnerability is found the extension will show an overview of the types of vulnerabilities found but won't’ disclose any additional technical details needed for exploitation

Security.txt

Starting in the Fall of 2021 Punkspider will check for the presence of a security.txt file and attempt to email the address indicated in the Contact: mailto section if any vulnerabilities are found.

Sign-up list

Site owners may also manually sign-up on the Punkspider page to be notified if any vulnerabilities are found on their sites. 

Site owner verification

Starting in the Fall 2021 punkspider.io will host a tool for site owners that allows them to request the details of any vulnerabilities found before full disclosure. This tool will send a verification code to either the contact in security.txt or as a request to their server that will show up in their access logs. Once verified the vulnerability details will be provided.  

Delayed full technical release

The Punkspider full searchable UI (when released) will delay showing any technical details for new findings for 30 days. After 30 days the full technical details will be available in the search results.  We have not yet announced a date for this release since we are focused on maximizing the number of site owners and operators we contact at this time.

Punkspider currently offers a browser plugin for users, but our internal teams also have access to a powerful interface to explore those findings, much like how search engines like Google crawl web pages to index for search. We are gradually working towards the release of the full searchable UI, as we work our way through notifications and give security teams and website owners time to access the free tools we’re now providing to help them improve their corner of the web.