A community member discovers a critical security gap in a government system or a major corporation’s platform and shares it online.

Hours later, the issue is quietly resolved, but the efforts of those who first identified it often go unacknowledged.

This scenario is familiar to Malaysia’s IT community, which, despite its efforts to secure the nation’s digital infrastructure, faces the risk of legal repercussions for publicly exposing such vulnerabilities, says Daren Tan, founder of the IT community Developer Kaki.

“The biggest worry is definitely getting sued. Companies might threaten legal action because they think we’re hurting their reputation or business.

“There’s also the risk that someone with bad intentions might use what we found to cause problems before the fix is ready,” he says, adding that explaining technical issues to those who aren’t tech-savvy can be challenging without revealing too many details about the vulnerability’s workings.

Despite the obstacles, they soldier on, as Tan says the drive to resolve these issues is a fundamental aspect of being a developer and IT practitioner.

Tan believes best practices should be followed when disclosing vulnerabilities. This includes masking or removing sensitive information and avoiding technical details that could help bad actors exploit the vulnerability while focusing on why the issue needs urgent fixing and potential solutions. — DAREN TAN

“Sure, the ‘right way’ is to report issues privately to the authorities, but we run into two big problems.

The first, according to him, is that “sometimes nothing happens because there’s no real pressure or repercussions to fix things”, while at “other times it gets stuck in an endless bureaucratic back-and-forth between departments and vendors”.

Tan highlights an experience shared by another community member, who noted that companies operating in Malaysia seem to face no repercussions for failing to address issues within a given timeframe, which is a fundamental problem.

He adds that when the proper channels yield no progress or move too slowly, the most effective way to initiate action from those responsible is to go public with the findings.

“The government and companies need to make it safer for people to come forward with security problems they find.

“This means having clear rules about what’s OK and what’s not when reporting issues, protecting people who report problems in good faith, and maybe even offering rewards for finding serious security gaps, aka bug bounty.

“Right now, a lot of people hesitate to report problems because they’re worried about getting in trouble, and that needs to change,” he says.

Tan, who is also CEO of ALPHV Technologies, stresses that the IT community wants to make tech safer for everyone, not stir up trouble or show off.

“To give an analogy, we are like the people who spot a broken lock on a door and want to tell the building manager before something bad happens.

“We spend our own time looking for these problems because we care about keeping systems secure, and we’d rather find and fix these issues before someone with bad intentions discovers them,” he says.

Unsung heroes

Tan says that being formally acknowledged by the authorities or government could go a long way to show that the IT community is being recognised and valued.

“Even better if they’d have roundtable discussions with us. Right now, it feels like we’re shouting into the void. Knowing we have ‘official eyes’ on our work would motivate people to do more.

Nacsa acknowledges that it has not established formal protocols or guidelines for independent cybersecurity researchers to report vulnerabilities, but it assures that these measures are already in the pipeline. — Image by freepik

“Think about it – if there was a clear channel between the community and these agencies, we could work together much more effectively. We could have real conversations about threats and solutions,” he says.

He adds that it’s not about seeking praise or recognition, but rather about fostering a partnership where both parties can build better understanding and trust.

“More IT professionals would feel confident reporting issues if they knew they had some backing from authorities.

“It could turn what’s sometimes seen as ‘troublemaking’ into recognised public service,” he says.

When approached by LifestyleTech, a National Cyber Security Agency (Nacsa) spokesperson said the community efforts have not gone unnoticed, acknowledging the critical role that IT communities and the public play in identifying and reporting vulnerabilities.

“Their expertise and vigilance enhance national cybersecurity by enabling early detection and resolution of risk.

“Nacsa encourages responsible disclosure practices and collaboration to strengthen the resilience of government and private sector platforms, fostering a secure digital environment for all,” he says.

The spokesperson highlights that there needs to be a balance between transparency and security when it comes to making public reports, with unmitigated disclosure potentially exposing systems to exploitation, leaving them at risk of data breaches and service disruptions.

“Nacsa advocates allowing time for remediation before public release and ensuring security while maintaining accountability. Collaboration is key to achieving this balance.

“The primary risk is exploitation, especially when vulnerabilities are disclosed prematurely. A thorough risk assessment is necessary to understand the impact of public disclosure and the potential for misuse by malicious actors.

“While transparency may pose risks to data security, the benefits of informed awareness cannot be overlooked,” he says.

The Nacsa spokesperson stresses that vulnerabilities should only be disclosed to trusted parties like vendors or organisations that are responsible for mitigating threats in order to minimise exposure to cyber threats.

He adds that when public disclosure is necessary to protect people, vendors and the IT community should first collaborate to verify fixes using anonymised details. This approach safeguards sensitive information about the vulnerability while informing the relevant parties.

“Additionally, communicating the resolution efforts through clear messaging can help prevent panic and reduce exploitation risks,” he says.

Tan highlighted similar concerns about the risks of individuals going public with significant vulnerabilities, which often spark divisive discussions among the community.

Tan says that being formally acknowledged by the authorities or government could go a long way to show that the IT community is being recognised and valued. — 123rf

From his perspective, Tan believes best practices should be followed when disclosing vulnerabilities. This includes masking or removing sensitive information and avoiding technical details that could help bad actors exploit the vulnerability while focusing on why the issue needs urgent fixing and potential solutions.

“It’s a bit like walking a tightrope. We need to be clear enough that companies and users understand why it’s serious, but not so detailed that we’re basically handing out a how-to guide for attackers.

“The way we handle it is to focus on the impact – showing what could go wrong – rather than the exact steps of how it works.

“For example, instead of showing exactly how to access someone’s private data, we might say ‘this bug could let unauthorised users view personal information’.

“Then we work with the company privately on the technical details. Sometimes we’ll include proof that the vulnerability is real by showing screenshots with sensitive info blocked out or by demonstrating it to the company’s security team directly.

“The key is giving enough information to prove it’s a real problem that needs fixing while keeping the dangerous details under wraps until it’s patched. And when we do go public, we time it so the company has had a fair chance to fix things first,” Tan says.

Given that most Malaysian companies lack disclosure programmes, Tan recommends adhering to industry standards in the meanwhile. He advises following standard disclosure timelines – typically a 90-day window – to allow time for patches to be developed.

Tan adds that vulnerability disclosure programmes should be kept separate from regular support channels to enable direct communication with technical teams.

Crowd-sourced cybersecurity

Nacsa acknowledges that it has not established formal protocols or guidelines for independent cybersecurity researchers to report vulnerabilities, but it assures that these measures are already in the pipeline.

To ensure reports can be made safely and responsibly, Nacsa is developing a structured framework, with comprehensive reporting guidelines set to be included in the revised Malaysia Cyber Security Strategy (MCSS) for 2025–2030.

Findings from the National Cyber Crisis Management Plan (NCCMP) will also be integrated into the MCSS.

“While the MCSS is primarily a strategic framework, its success in improving incident management processes will hinge on ensuring that the entire cybersecurity ecosystem is well-prepared for future challenges.

“One initiative is implementing the Vulnerability Disclosure Programme (VDP), which aims to ensure efficient and secure handling of vulnerabilities while fostering trust and collaboration across sectors,” he says.

Nacsa also says it is “open to crowd-sourced vulnerability identification and believes it is a valuable complement to official cybersecurity efforts”.

It cited the Cyber Security Awareness Coordinating Committee that was formed last September under the National Cyber Security Committee (JKSN) as an example of public and private sector collaboration.

The committee, which held its first meeting in December last year, included non-governmental organisations like the cybersecurity community, rawSEC, the Malaysia Cyber Consumer Association, and the National Tech Association of Malaysia (Pikom).

“Nacsa consistently engages with IT communities and the general public through various platforms to gather essential input and feedback,” the spokesperson says, adding that as the agency spearheads the national cybersecurity agenda, it “is eager to receive constructive feedback and insights from these entities”.

The committee is chaired by the director-general of the National Security Council (NSC) Datuk Raja Nushirwan Zainal Abidin, with Nacsa serving as the secretariat.

“We welcome anyone who wishes to contribute. The spirit of shared responsibility in cybersecurity has always been a cornerstone of fostering resilience and ensuring collective safety in the digital landscape,” he says.

Those keen on working with the Cyber Security Awareness Coordinating Committee may reach out to Nacsa directly to be included in the agency’s engagement sessions.

With an expansion to Nacsa’s workforce, the agency is also set to boost engagement with stakeholders, using existing IT community platforms to strengthen the cyber ecosystem collaboratively, the spokesperson says.

“Engaging a diverse pool of skilled individuals and communities expands the scope of threat detection and fosters innovative solutions.

“This collaborative approach enhances resilience by uncovering vulnerabilities that may escape traditional methods.

“When integrated with structured frameworks, crowd-sourced efforts can strengthen national cybersecurity while maintaining accountability and system integrity,” says the Nacsa spokesperson.

Tan, however, hopes for a public portal where authorities can publish turnaround times and service level agreements – including outlining standards for addressing issues – when handling vulnerability reports. This, he says, would assure the community that their reports and complaints are being taken seriously.

“We need a system similar to OWASP (Open Worldwide Application Security Project) where we can report and track any potential or discovered vulnerabilities. These reports would go directly to the right companies and developers who can fix the issues.

“When problems occur, they can patch the vulnerabilities, reverse any hacks, and restore systems using the last known good backup,” Tan says, adding that strong cybersecurity is a key part of Industry 4.0’s technology and automation framework.