10

I have identified a software bug in a platform, one that causes leakage of possibly private information in situations where an app developer on that platform might not expect such leakage. It's not something that is especially easy to exploit, but it is certainly possible. It's somewhat convoluted for an app developer to fix, but I have some proof-of-concept code that helps resolve the problem, at least in some scenarios.

I filed a security bug report with the platform vendor. After initially agreeing that it is a security bug ("Moderate" severity), they have now come back and stated "this is currently working as intended" and "we have determined there isn't a security impact". This was 10 days after filing the report, and their guidelines request a 90-day responsible disclosure timetable.

Given their "working as intended"/"isn't a security impact" response, am I under any obligation to continue to sit on this for the remaining 80 days? Or can I start advising affected developers on how to work around this bug?

techraf
  • 9,149
  • 11
  • 44
  • 62
CommonsWare
  • 553
  • 2
  • 10
  • Coordinated disclosure, please :) – wireghoul Jun 01 '16 at 01:48
  • Is this some kind of username enumeration vulnerability or something similar? In that case, there's [a fairly good reason](https://security.stackexchange.com/questions/124653/why-do-several-bug-bounties-ignore-user-enumeration) why it's often not considered a vulnerability. If there's really no good way to fix information leakage, than you just have to make sure you've got good controls to mitigate the issue. – Lie Ryan Jun 01 '16 at 15:20
  • @LieRyan: "Is this some kind of username enumeration vulnerability or something similar?" -- no. – CommonsWare Jun 01 '16 at 15:23

1 Answers1

7

You are not "obliged" to follow any such practise. Not following them may simply mean that you won't be eligible for some goodies. Or that they can't properly provide a fix.

As for the disclosure itself, it would be ethical in my opinion not to wait for the remaining 80 days.

There's a notorious case of a security researcher that used its not-a-bug on Facebook to post on Mark Zuckenberg's wall (and Facebook "surprisingly" treated him as if he was exploiting a bug).

I would recommend asking again, so you get an explicit statement from their part that they are not interested in the disclosure being embargoed. As an alternative, you may also tell them that you consider it's no longer and thus you will disclose it in eg. 1-2 days from your message unless they tell you otherwise.

It's not so uncommon that some vulnerabilities are initially triaged as not-bugs but later reassessed after they better understand it. You may insist trying to convince them. In which case you should wait before moving into the "I will disclose it now" phase.

Ángel
  • 18,188
  • 3
  • 26
  • 63
  • 1
    I have no interest in "goodies". This isn't a bug that the vendor can readily fix for existing platform installations, other than via app developer workarounds like the ones I am working on. I like the "will disclose if I don't hear from you" approach. Thanks for the feedback! – CommonsWare May 31 '16 at 23:46