Transparency and disclosure

I see lots of security problems with educational web sites and apps.

Sometimes problems like these get reported in the press.  For example in the past couple of years, Shutterfly, Schoology and Edmdodo have been in the press for not using SSL to protect user accounts and the information that they contain about kids.  Often, even if they are fixed, the companies don’t report that their users were exposed to security vulnerabilities.   This sort of thing is not as serious as an actual data breach, but parents and educators can’t make informed decisions without transparency and information about the security practices of the sites they are considering.  Many companies and sectors do make a practice of disclosing their security problems responsibly.  But this is not something I’ve seen in the ed-tech space.

Talking about things that are already fixed adds transparency and openness.  There are differing opinions about the best way to disclose security problems that have not yet been fixed.     This post by Troy Hunt lays out a good set of guidelines for when it makes sense to publicly disclose security problems.  He weighs the consequences to the site’s operators and users. It’s worth a read, and Troy’s blog, is a great resource for those who’d like to learn more about security.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s