Maybe the title should have been caring for your customers, I’m not sure. Either way, when you’re involved in security, specifically for a product, or a company who builds products, you should be listening to your customers! Who are your customers? Well, that’s a grey area. Is it your employer, the development teams you collaborate with, or users of the product? If you answered all of the above, you’re correct.
Unfortunately, far too often, security folk forget that last one – the product users. All the quality assurance and security testing in the world won’t account for (hopefully) thousands of users and a few (hopefully) conscientious hackers who might be reporting issues.
So how would one go about accomplishing this task?
Establish a public, well documented process for bugs to be reported
This process might be as simple as providing an email address for reporting issues or as complex as a form which creates a ticket in a tracking system. The point is, you MUST have a way for feedback to be provided
LISTEN AND RESPOND TO ALL FEEDBACK
I can’t stress this enough! When you give users an avenue to report issues, you must accept and acknowledge all reports. When you ignore feedback, your customers get pissed. When you customers get pissed, they turn to any and all online avenues to bash the service and your lack of response. With services like Twitter, Facebook, and MySpace which thrive on user generated content, reputation can be affected within a matter of hours!
Be where the feedback is
Big news: the internet is searchable!
Google is a great tool for searching. Furthermore, Google will provide results in RSS feeds which can be loaded into your favorite Feed reader.
Twitter is where the people are! Twitter is also searchable and with tools like Tweetdeck and tweetbeeps.com it’s easy to capture tweets which mention your product.
So why do I feel the need to be captain obvious with this post? Well, far too often, as with most security researchers, I’ve reported issues in various products. Some owners have been very responsive while others don’t even bother responding with a form/canned response. With copycat products being released everyday, if you don’t take care of your users, they’ll go somewhere else.
For a good place to start on reputation checkout SpinHunters.com
For those of you in the Northern Virginia and surrounding area and who are into web application security, mark you calendars for April 8th, 2009!
Maybe the title should have been caring for your customers, I’m not sure. Either way, when you’re involved in security, specifically for a product, or a company who builds products, you should be listening to your customers! Who are your customers? Well, that’s a grey area. Is it your employer, the development teams you collaborate with, or users of the product? If you answered all of the above, you’re correct.
DandyID
Friendfeed
claimID
Disqus
Facebook
Twitter
myOpenID
Google Profiles
Linkedin