The costly lessons of @XS4me2all
4 June 2014: Frank Brokken, Security Manager at Groningen University, arrives at the World Forum congress centre in The Hague. It is the second day of a conference hosted by the National Cyber Security Centre, which has brought together over a thousand delegates from all parts of the world. They include the Minister of Security and Justice, the directors of the Dutch National Intelligence Agency and the National Cyber Security Centre, leading researchers and captains of industry. The national High Tech Crime Unit is here, as are their counterparts from the FBI. Needless to say, security is tight. But Brokken is not here to rub shoulders with VIPs. He is here to meet the man who, seven years earlier, hacked his university’s computer systems.
Brokken looks slightly out of place as he joins the throng of men in suits. I spot him immediately: his large grey moustache and shock of hair set him apart from the crowd. I attempt to put him at his ease. Brokken scours the room, looking for the man he has come to meet. The hacker has not yet arrived, but we are confident that he will show himself before long. I have set up a studio and intend to video the two men’s first encounter. The world will soon know the real identity of @XS4me2all, otherwise known as the Groningen University Hacker.
It seems strange that @XS4me2all is willing to come here, the lion’s den as it were, to talk about his hack. After all, he wreaked near havoc, infecting the university’s servers and some 250 computers with malware. The cost of the clean-up operation ran into six figures; the damage to the university’s reputation was immeasurable. The episode could have seen him arrested. In fact, @XS4me2all has already spent time behind bars for another hack. Today, he will wipe the slate clean. He already knows that Brokken feels no animosity: the security manager has publicly expressed his admiration for a ‘damn clever hack’, from which he and his organization learned many valuable lessons. The university authorities now take information extremely seriously. Brokken has promised not to press charges, which is why @XS4me2all is now willing to meet him and to speak on camera.
I first met @XS4me2all over a year earlier, soon after I started researching this book. He is now what is known as a ‘penetration tester’: someone who tries to break into a computer system with the full blessing of its owner to determine whether security is adequate. He also hacks in his spare time. He sometimes chooses his targets at random but usually works on tips from the hacker community. @XS4me2all has turned over a new leaf. If he does manage to get into a system, he stops. He does not steal data, he does not manipulate data and he does not add data, malicious or otherwise. He simply contacts the site’s administrator to report his findings. Only after the problems have been resolved does he reveal what he has done so that others can also learn from the exercise. In the jargon, this approach is known as ‘responsible disclosure’.
@XS4me2all was able to tell me about several responsible disclosures, most of which had been reported in the media. But there was one case about which he had remained tight-lipped: the Groningen University hack. We agreed that I would interview him, write the story and check it with him before making any details known to anyone, including the university. I promised not to reveal his name. I set up an anonymous Twitter account, @XS4me2all, through which we could keep in touch. We agreed that his identity would be revealed only if the university gave a firm undertaking that no further steps would be taken in the matter.
At this time, @XS4me2all was still living in a student accommodation on the outskirts of Amsterdam. As a professional penetration tester, he could afford somewhere better. Before long he did indeed move into a ‘real’ apartment, but for now our meetings were held in the same small, dingy room from which he had perpetrated the hack itself. Its floor was strewn with computer manuals. On the one and only table were various documents bearing the crest of the Ministry of Justice. In 2008, he had been sentenced to eighteen days’ detention for computer misuse and membership of a criminal organization. We shall return to this episode later. But first, the Groningen University hack.
February 2007: @XS4me2all is twenty years old. He is officially a student but not at Groningen. In fact, it is a long time since he last deigned to attend a lecture. He spends his days – and nights – trawling the internet, looking for new hacking methods and identifying ever bigger targets. He does it purely for kicks. But he is learning far more than he ever would from classes or lectures. @XS4me2all considers universities to be particularly interesting targets. They have super-fast internet connections, which he can use for his own ends. He decided to explore the Groningen University website. The first thing he noticed was that the network included an online print server. Although it was protected by an encrypted password, he could see what is called the ‘hash value’, the result of the encryption process. There are countless internet sites which publish ‘rainbow tables’: lists of hash values which make it possible to recover the original plaintext password. He soon found a match: the password was ‘S4k1nt0s!’ All he needed now was a username. He tried ‘admin’. He had guessed correctly: he could now log in to the server and explore whether ‘admin’ had access to other online resources. Indeed, he (or she) did: to practically all servers belonging to the same faculty.
Our hacker then repeated the hash and rainbow table trick for other systems, discovering that some admins had access to several different faculty websites. The overlap allowed him to move quickly between them. He noticed that all used the same content management utility: Novell’s ConsoleOne, which was also accessible online. The system admins could update all systems remotely. By now, so could @XS4me2all. Via TCP port 1761, he could penetrate the deepest recesses of Groningen University’s network from the comfort of his student accommodation in Amsterdam.
But @XS4me2all was not yet satisfied. Rather than hacking every server and computer individually, which is a very time-consuming process, he decided to target the image and install server. This bit of kit allows the system administrators to upload back-ups or updates to the network. As each user logs in, the updates are automatically installed on his computer. And so is any malware that has been uploaded by a hacker. Each and every computer becomes infected. Within a month, @XS4me2all had full access to every computer, every folder, every file. On a few computers, he installed malware which had all the characteristics of a keylogger, just to see if it would work. But he didn’t use it because he didn’t have to: he could go anywhere, see anything. He found the Wake-on LAN function particularly entertaining. It allowed him to turn on or ‘wake up’ any computer on the network automatically, despite being almost two hundred kilometres away. He took to doing so at random times in the middle of the night. ‘Picture the scene – the cleaners are working away and suddenly all the computers into life. Great!’
Gaining control of the network was enough for @XS4me2all: mission accomplished. He was not interested in causing any damage. It was like climbing Mount Everest: people do it because it’s there. But he could not resist the temptation of telling other hackers about his achievement on an online forum. They did not believe him. They demanded hard proof. ‘Fine. Give me a video and I will put it on one of the university’s servers.’ He continued to play around with Groningen’s systems, although the novelty was beginning to wear off. One day, however, he noticed frantic activity throughout the network. Passwords were being reset, new firewalls installed. The shit had hit the fan. It was time to log out for the last time.
Although @XS4me2all was keen to put the entire affair behind him, events took an unexpected turn. On 7 March 2007, Groningen University called a press conference. Its spokesman, Jos Speekman, announced that the university’s computer systems had been hacked. According to Speekman, cybercriminals had installed software which enabled them to steal personal information, including passwords to third-party sites and credit card numbers. Moreover, these putative cybercriminals had taken complete control of the systems. They could operate all the university’s computers remotely and were using them to distribute spam and illegal content. The damage was in the order of one hundred thousand euros. The university suspected an inside job: one of its own employees or students was the likely culprit.
The press conference was widely reported in the media and the story soon reached the ears of @XS4me2all. He was astonished, to put it mildly. He had certainly not stolen any credit card information, and the only illicit content involved was a video clip. But he was even more amazed, and less than amused, to see a television interview with someone claiming responsibility for the Groningen hack. ‘Some faceless geek standing in the shadows, with a distorted voice, talking utter bullshit and making the problem out to be a lot worse than it really was.’
Several reports featured the university’s security manager Frank Brokken. He talked openly about the incident and conceded that he had learned much from the experience. Brokken seemed to be an understanding kind of guy, our hacker thought. He would like to meet him to explain exactly what he had done and why. In the event, he decided against doing so for fear of repercussions. He kept a very low profile until 2013, when he was introduced to me. The incident was still weighing heavily on his conscience and he wanted to wipe the slate clean. I could see a good story for my book, and so I offered to act as intermediary between hacker and ‘hackee’.
Frank Brokken was still working at Groningen University. I sent him an email explaining my research and requesting any documents which might cast light on the incident. I also proposed setting up a meeting with @XS4me2all, on condition that the university promised not to press criminal charges or seek damages. Brokken’s reply was encouraging. ‘I am always interested in sharing experiences. In this case, certain vulnerabilities were brought to our attention and I do not regard legal action to be an appropriate response. In that sense, the hacker has nothing to fear. For my part, I am looking forward to a nice cup of coffee.’ The email was signed using the PGP (‘Pretty Good Privacy’) protocol, indicating that it almost certainly sent by Brokken himself. At the time, I had no idea what all the codes in the headers and footers of emails actually mean, but @XS4me2all assured me that this was the case. And if he was happy, so was I.
I arranged a phone interview with Brokken. Neither his words nor his tone suggested any animosity towards @XS4me2all. Quite the reverse: he seemed to hold the hacker in high regard. ‘I think it’s commendable that this lad chose to go about things this way,’ he said. ‘If you have access to the server which installs software on every other computer, you’ve got someone else to do all your work for you. That’s efficiency!’ Brokken even laughed out loud when I told him about the computers being turned on in the wee small hours. He responded with some anecdotes about hacks from his own youth. ‘In those days, we were still working with mainframes and very few people were familiar with computers. Someone wrote a program which displayed an “all-seeing eye” on a colleague’s monitor. The eye seemed to follow his every move, much to his discomfort. We had to laugh!’ And Brokken is still laughing today.
This was clearly someone who understands the hacker’s perspective and I decided that it would be safe to invite Frank Brokken to meet us at the conference. He was happy to do so. @XS4me2all was less thrilled at the prospect. ‘The NCSC conference? I may not be very popular among that crowd. Can’t you find somewhere a bit more... low key?’ I could see his point. And besides, some of his pentest clients might also be there. They may not be as forgiving as Frank Brokken. I suggested that we should record the interview without an audience: on camera but in camera, so to speak. All three of us would then be able to decide how much – if anything – was to be made public. They both agreed.
On 4 June 2014, I therefore found myself face-to-face with Frank Brokken. The studio lights were on and we were ready to roll. What Brokken did not know was that one of the ‘camera crew’ just over my left shoulder was none other than @XS4me2all. We decided to conduct the interview in English, since this was an international conference and we wanted to tell our foreign guests about responsible disclosure in the Netherlands. I assured Brokken that we could stop the interview at any time. Retakes were no problem: we could edit out any fluffs on the fly. In the event, he proved to be a consummate interviewee, talking with ease about every aspect of the hack: the email informing him that the systems were insecure, the hacker’s skilful use of the image and install server to do all the ‘dirty work’, and why he had considered it so important to reveal that systems had been compromised.
The moment had come. ‘You are now going to meet the man who hacked your systems,’ I announced in my most portentous tone. @XS4me2all stepped out from behind the camera and offered his hand. ‘So you’re the bad guy?’ said Brokken. ‘Yes, I’m the bad guy,’ he replied with a smile. The conversation proceeded with very little prompting from me. The hacker explained precisely what he had done, and the security manager responded to each new revelation with appropriate surprise. @XS4me2all admitted to having hacked several other university networks. Groningen was the only institute to publicly acknowledge that it had been targeted. Brokken believed in being open, he explained, which was also why he had agreed to this meeting. ‘If you are open and honest, you can turn something bad into something good.’ The two men were still talking long after we had wrapped up the interview. As I was preparing my next item, I could see them strolling into the distance together like long-lost brothers.
Hacking is the act of breaking into someone else’s information systems. You might say that hacking is as old as computers themselves, but in many ways the reverse is true. A very influential figure in the development of modern computer science was the ‘hacker’ Alan Turing. In the Second World War, Turing cracked the supposedly impenetrable Enigma Code used by the Germans. His mathematical model, known as the Turing machine, forms the basis the first computers built.
It is rare, perhaps unknown, for an information system to be 100% secure from the outset. Vulnerabilities, flaws, holes and bugs will almost inevitably creep in. To find them calls for the services of skilled hackers. There are ‘bad’ hackers, whose motives are at best questionable, and there are good hackers whose aim is to improve security. The former are known as ‘black hats’, and the latter as ‘white hats’, after the favoured headgear of the goodies and baddies in Hollywood westerns. In the real world of cyber security, however, the hats come in many shades of grey. The Groningen University incident demonstrates that even a hacker who goes too far can achieve much good. Thanks to @XS4me2all, the university realized just how poor its security was, and could take remedial action before a really malicious hacker could go to work.
The vast majority of ethical hackers whom I have interviewed for this book have never faced criminal charges but many have edged very close to the boundary line between the acceptable and the unacceptable. The essence of responsible disclosure is to look beyond that line without crossing it, no matter how great the temptation may be. An ethical hacker promptly informs the system owner what he has seen on the other side.
The hackers whose stories appear in this book share a well-developed sense of responsibility. Their motives are honourable; they wish to help others solve security problems in order to stay one step ahead of those whose motives are not. Members of the hacking community are generally young, around twenty years of age, and fiercely intelligent. They think in a different way to the rest of us. They can look at a website, app or program and immediately spot something that is ‘not quite right’, something that even the programmer or system administrator has overlooked. Hackers are also doggedly persistent. Their curiosity drives them to press on long after most people would have given up. They derive enormous satisfaction from solving the puzzle, and from letting others know that they have done so. Ethical hackers are altruistic: they work to make the digital world safer and more secure, often with no thought of reward. Many, such as @XS4me2all, risk arrest and prosecution.
How would you react if you received an anonymous email informing you that your website is full of holes, that it is possible to defraud your payment system, or that anyone could walk into your building using a homemade pass? Would you take the warning seriously? Do you act on unsolicited advice? Or do you take the view that you have better things to do with your time? Fortunately, a growing number of organizations now have a policy which encourages hackers to contact them if they find anything untoward. That policy goes under the heading of ‘Responsible Disclosure’. But theory is rarely the same as practice. A system administrator might receive a report on the eve of his annual holiday. He decides that it can wait until he gets back. A manager who is already snowed under with work passes a report to the legal department which then takes the wrong kind of action, contacting the police or retaining a lawyer. A helpdesk might insist that the organization’s site is entirely secure because staff have been instructed not to ‘alarm’ customers.
This is when things go awry, because most ethical hackers will not be brushed off. They will not give up. Whether driven by a sense of duty, a need for recognition or just simple frustration, they will sooner or later reveal their findings to the world at large. They will go public through an online chatroom, social media, an online blog or by contacting a journalist. After all, they did try to do things ‘the right way’, but were ignored.
Recent years have seen a string of security scandals. The Dutch public has read that the smartcard used to pay for public transport can be cloned, that the pumps which keep the country safe from flooding can be controlled by anyone with an internet connection, and that DigiD, the system used to log in to e-government websites, has more holes than a colander on a golf course. Patients’ medical records have been leaked, conference calls made by senior defence staff have been bugged. Banking apps are so insecure that customers’ accounts can be emptied in seconds. The list goes on. If we are to believe what we read in the press and see on television, anything and everything can be hacked and no one is doing a damn thing about it.
Journalists, politicians and the public lap up stories like this. Behind every problem is an organization which has not been doing its job properly. Accusations fly hither and thither: people must be held to account, heads must roll. Questions are raised in parliament, and the guilty (or at least negligent) parties may indeed find themselves answering to the courts. The hacking community will ridicule the hapless victims on Twitter. They should have listened to us: forewarned is forearmed! The hackers have a point. With just a little more mutual understanding, the organization could have benefited from free expert advice while the hacker would have earned recognition for his ‘volunteer work’.
The Netherlands is famous for its ‘polder model’ of decision-making. Consultation and negotiation between various stakeholders will, it is held, eventually give rise to an outcome that satisfies all interests. The polder model dates from an era in which the common interest demanded the construction of polders, dams, dikes, and other water defences to keep our country, much of which lies below sea level, safe from flooding. Today, we see a similar approach being taken to cyber security. All the various stakeholders are being invited to take part in open discussion and negotiation. In my view, the polder model is particularly appropriate to the way in which modern information systems are structured. The internet does not have a ‘supreme high command’; there is no central organization responsible for managing, updating, improving or otherwise spinning the World Wide Web. Rather, there is a long and complex chain of countless different systems. Everybody is responsible for their own link in the chain but no one is responsible for the chain as a whole. To ensure that the chain functions effectively demands cooperation, openness and mutual understanding.
That is why I have written this book. I wish to give ethical hackers, system administrators, managers, helpdesk staff and all the other stakeholders a glimpse into each other’s world. I want to help them understand each other’s motives and interests. My target readership also includes the politicians, policy-makers, legislators and journalists to whom these stakeholders are accountable. And because information security is often concerned with personal data, this book is also for everyone, the general public – you. Who is to say that your medical records will not be leaked tomorrow? As a society, we have become dependent on information technology. It is useful to know exactly how that technology deals with our personal, perhaps intimate, information. We often learn most from the incidents in which things have gone seriously wrong. At the same time, it is reassuring to know that so many people are working hard to ensure that things will not go wrong ever again. Cyber security involves technology, but it is people who determine its success.
Each of the following chapters presents a case study in which a hacker finds a vulnerability which he then discloses, with all the consequences this entails. I have selected the cases for their diversity: they represent a broad range of different technologies, hacking methods and targets. As we shall see, the consequences of a hacker’s actions can also vary greatly. We know what should happen in the ideal situation: the hacker finds a vulnerability and reports it to the system owner who immediately rectifies the problem. In practice however, there are likely to be several security flaws: they tend to hunt in packs. The hacker’s report will be passed from pillar to post because no one knows who is responsible for what. The process is no more than a ‘concatenation of circumstances’ and the outcome may be a matter of luck. Even so, certain recurring patterns can be detected, largely because people are creatures of habit. They tend to do whatever they did last time, and the time before that. I hope to reveal these patterns, and where possible break the less desirable habits.
If the course and outcome of the cases rely so heavily on the perspectives of the various actors, what about my perspective? Who am I? What is my interest in cyber security? What is my frame of reference? My name is Chris van ’t Hof. I am a researcher, journalist, presenter and sociologist. I also have a technical background, in electrical engineering. I am the author of several books about the information society, most of which were commissioned by various research institutes. These works involved the input of fellow researchers, one or more editors and the publisher. I was keen to produce the current volume as a ‘solo effort’, precisely because there are so many widely differing views and opinions about its subject matter: hacking. I wanted to meet the hackers in person and write their stories myself, so that there could be no underlying agenda or editorial ‘tweaking’ to pander to a client’s policy or a publisher’s commercial interests.
That is not to say that there has been no input from other people. On the contrary. Everyone I interviewed was given the opportunity to read and comment on my drafts. Almost all case studies have been published in abridged form in the professional journal Informatiebeveiliging, which means that the facts have been checked by the editors. I submitted a draft of this book to several expert reviewers. Their names are listed elsewhere and I am of course extremely grateful for their help. I placed the entire text of the original Dutch version of the book online, inviting comments and suggestions from anyone who cared to offer them. Once again, I am most grateful to everyone who took the trouble to contact me. But the fact remains that this is my book, my story. For that reason, I fly in the face of academic tradition and make extensive use of the first person singular throughout.
In this introduction, I have told the story of an anonymous hacker who, in 2007, crossed the line. He went beyond the bounds of the acceptable and strayed onto the dark side. He has since mended his ways and is a reformed character. He eventually revealed all in 2014. All the following cases played out in the intervening period. I present them in chronological order to illustrate the line of development. I begin with a ‘classic’ story which will be familiar to many.
In 2005, transport operators in the Netherlands started to roll out a contactless smartcard payment system which would eventually replace paper tickets on trains, buses and trams nationwide. London has the Oyster card, Hong Kong has the Octopus, Manila has the Beep and Paris has the Calypso. The more prosaic Dutch decided to name their version the OV-chipkaart, literally the Public Transport Chipcard.
Not long after its introduction, the OV-chipkaart had been cracked by security researchers at Radboud University. I devote three chapters to this case, examining it from the various perspectives of the actors involved: the hackers, the government, the consortium responsible for developing and implementing the system, the judicial authorities and the media. One prominent actor was @brenno, journalist Brenno de Winter, who used a cracked smartcard to show just how easy it was to fare-dodge undetected. De Winter was also responsible for ‘Lektober’ (Leak-tober), an awareness campaign which named a different insecure website every day for a month. One of the hackers who identified the websites was Wouter van Dongen, who went on to establish a successful business based on the hacking methods he used.
Next, I consider the SCADA systems case, in which a list of IP addresses compiled by an anonymous hacker revealed that essential components of the Netherland’s water management system could be controlled by anyone with internet access. I examine the media’s response to revelations like this: is it balanced and objective? The media coverage is often grist to the mill of the opposition parties who wish to embarrass the government. I consider how the ‘establishment’ – the government and the judicial system – have struggled with the concept of ethical hacking, and how difficult it can be to determine who is ultimately responsible for digital security. If everyone is partially responsible, no one is entirely responsible.
Subsequent chapters look at how various organizations reacted when told that their security was flawed. The Ministry of Defence was not unduly concerned to hear that @UID_ had tapped into its teleconferencing system. ING Bank barely batted an eyelid when @floorter claimed to be able to hijack its new mobile phone app, although the problem was rectified with improbable haste. By contrast, the online auction site Marktplaats.nl was among the first to implement a responsible disclosure policy, rewarding @legosteentje with a white hat, and later a fulltime job. All these cases attracted some media attention but were resolved without too much commotion or controversy. By now, parliament had begun to discuss responsible disclosure and the appropriate response to ethical hacking.
Next, I consider a number of cases in which legal action was taken, or at least threatened. Teenage hacker @jmschroder showed Habbo how he had been able to log into its helpdesk system, whereupon the company brought criminal charges. The wheels of justice can turn very slowly and it was two long years before the courts ruled that there was no case to answer, a decision largely based on a legal technicality. Politician and publisher Henk Krol was not so fortunate. He was fined for disclosing how he had accessed confidential medical files in the computer system of a diagnostic clinic. The court ruled that he had crossed the line and ‘gone just a little too far.’ Similarly, the hacker who targeted the Groene Hart hospital in Gouda was arrested and brought to trial. This apparent injustice attracted much criticism in the media and even in parliament. Only later did it emerge that the hacker had crossed the line of the acceptable in more ways than one. My final legal case involves the researchers at Radboud University. They had cracked an RFID-based vehicle immobilizer system. Although it was neither the developer, owner or vendor of the technology, the German car manufacturer Volkswagen successfully applied to the High Court of England and Wales to prevent publication of the Radboud team’s research paper.
Next, I turn to matters of policy. In early 2013, the Dutch National Cyber Security Centre published a ‘Guideline for Responsible Disclosure’. An increasing number of organizations have adopted a formal responsible disclosure policy and have set up an email address or hotline through which ethical hackers can report the vulnerabilities they find. Even so, hacking remains a criminal offence. The authorities have decided that each case must be considered on its merits to determine whether the hacker has acted responsibly and ethnically in pursuit of a higher purpose. According to the Minister of Security and Justice, Ivo Opstelten, the Netherlands is unique in having adopted this approach. To quote the exact words he used at one international meeting, ‘This is how the Dutch do responsible disclosure.’
Ethical hackers – the genuine ‘White Hats’ – now know precisely how close to the line they can go. They know how to elicit an appropriate response to security problems without involving the media or invoking the wrath of the authorities. When @stevenketelaar and @bl4sty managed to hack a popular model of modem, they were invited to telecom operator KPN’s head office to demonstrate. The organization welcomed them with open arms, treating the pair as VIP guests. The University of Amsterdam now includes ethical hacking on the curriculum and students work under the guidance of an ethics committee headed by @1sand0s. One Amsterdam student, @iliaselmatani, found a way to download digital textbooks from the publisher’s website without going through the tedious process of actually paying for them. But he refrained from doing so, instead asking me to contact the publishers on his behalf. They invited us both for a ‘constructive chat’.
My final three chapters are devoted to ethical hackers who have chosen to keep a low profile, preferring to work behind the scenes. The veteran hacker @0xDUDE has almost four thousand responsible disclosures to his unblemished name. Relative newcomers @rickgeex and @smiegles have indeed attracted the attention of the authorities but in a positive sense. Both have been thanked and congratulated by numerous public and private sector organizations.
In my final chapter, Going Global, I suggest lessons that can be learned from the case studies and from the response to the Dutch version of this book when it was published in 2015. Recent years have seen significant changes on the Dutch digital landscape. It seems that both the government and the private sector are coming to embrace the concept of responsible disclosure. But will the Dutch approach work in other countries? I have my own company and website, to which I have now added a contact form so that visitors can report any security bugs they may find. We shall see what happens.
As noted above, my cases studies are presented in chronological order to illustrate how attitudes to responsible disclosure have developed. Each case is considered from the various perspectives of the actors involved: the hacker, the system owner, the media, government, policy-makers and the judicial authorities. Do you need to understand SQL injection, the innermost workings of the Dutch political system or the exact legal definition of ‘computer misuse’ in order to read this book? Not if I have done my job properly. Hopefully, I can present the actors’ motives, interests and frames of reference without recourse to technical jargon. I have tried to explain how they decide whether a hack is indeed ethical and the resultant disclosure responsible. If I have muddied the waters with techno-speak, please feel free to ‘RTFM’, as the hackers say. In other words, refer to the glossary of technical terms in the appendix.
Also included is a sample ‘responsible disclosure policy statement’, which you can add to your own website. By doing so, you will be inviting helpful hackers to help you. I hope that, having read this book, you too will wish to promote the concept of responsible disclosure.
@cvthof, December 2015