After several eventful months of writing, ruminating, revising, and listening to feedback from the security industry and our web hosting working group, we are proud to announce the public release of StopBadware’s Best Practices for Web Hosting Providers: Responding to Malware Reports. We had some pretty lofty goals in starting this project: we wanted to address the hosting industry’s lack of consensus about how to respond to malware reports; we wanted to enable transparent, productive discussion among hosting providers, security researchers, and policymakers; and we wanted to come out of it all with a realistic, complete set of best practices that could be implemented effectively, whether by a small reseller or a large operator. Through a lot of hard work, and with invaluable insight from our working group and the community, we’re confident that our final best practices document achieves every one of those goals.

It’s unfortunately commonplace for malicious actors to create websites that seem legitimate, but that actually contain or link to malware. Oftentimes, the goal of these malicious actors is to spread malware by compromising other websites and infecting those sites’ visitors. Security researchers or concerned users routinely report these malicious sites to web hosting providers, but there can be a slew of questions and concerns surrounding response to malware reports, even when hosting providers have every intention of protecting their customers. Is the malicious URL in the report definitively within the provider’s zone of control? Does acknowledging a report carry legal implications for a hosting provider? What if the security researcher obtains new information and needs to follow up on the original report? StopBadware’s best practices provide a high-level framework for hosting providers who are committed to protecting their customers and acting as good Internet citizens; the Practices set universal guidelines for what steps hosting providers can—and should—take upon receiving a malware report.

We received a lot of enthusiastic participation while we were developing the Practices; likewise, we’ve received a great deal of support leading up to this public release, including and especially from some of the hosting providers who participated in our working group. We’re optimistic about the Practices’ potential to highlight the positive impact hosting providers can have when they commit to protecting users responsibly. And we’re extremely excited about the focus this project has brought to the fight against badware. We’d like to extend our most sincere gratitude to both our sensational working group and the community for the time, thought, and openness they dedicated to this project.

In addition to the best practices, we’ve created some extra materials to help web hosting companies understand and more effectively implement the Practices--all of which are freely available for your perusal.  We also have physical best practices packages for purchase; to support StopBadware’s Practices, check out a technician’s kit or  a larger team kit! StopBadware’s Best Practices for Web Hosting Providers: Responding to Malware Reports is available in full at http://stopbadware.org/home/webhost. You can read the full press release here.

We have several other significant projects in the works right now; you can expect to see much more from us in the coming months. Thanks for your continuing support!

**Update: We were remiss in not thanking Tucows for their support throughout this process and their help with publicity. Our apologies to Tucows--of course, you have our gratitude for everything you've provided during this project!