7

If I've discovered a vulnerability, and disclosed it to the website/app's developer, how should I disclose it publicly?

I gave the developer ample time to address the issue, as recommended by this. I know I should now be disclosing publicly, so as to warn potential users, but how and where should I do this?

Academiphile
  • 245
  • 1
  • 6
  • 1
    Have you got any reaction from the responsible person? Are you sure that enough time is passed? Have you set a deadline at the beginning? – Noir Jul 25 '16 at 14:13
  • Send a followup advising that per the schedule in the link you will be disclosing the vulnerability publically in x weeks time if you do not receive a response. – AlexH Jul 25 '16 at 14:17
  • 4
    First, make sure what you disclosed is not something ambiguity like "I found something" but no clue on reproducing the issues. Keep a email log about the target response. I suggest you go through best practice like this : https://titanous.com/posts/security-disclosure-policy-best-practices – mootmoot Jul 25 '16 at 14:29
  • There are hundreds, if not thousands/millions of websites with security vulnerabilities and it's very possible that the developer of the site no longer maintains it. Is this site worth exposing? If it is not too much to ask then what's the website? If you've hacked some relatively unknown phpBB forum or WordPress blog then is it really worth exposing? Have you uncovered sensitive data? – MonkeyZeus Jul 25 '16 at 20:19
  • I guess I'll try to send another email or call. The latest website I've found is simply collecting credit card data over HTTP, which I know is pretty bad practice. – Academiphile Jul 25 '16 at 20:31
  • 2
    Accepting credit card data over HTTP is certainly a bad practice, especially with HTTPS certificates available for only $10/year. However, I don't think this qualifies as a vulnerability in the application. In fact there's not much meaningful information to publish in that case because the site can't be directly attacked with this configuration, only its users connections across the world. – 700 Software Jul 25 '16 at 21:38
  • Oh, so you just want to report a web site that uses HTTP to send credit card numbers? That situation is a bit different than finding a serious vulnerability in a website/app. Anyway, that's covered by http://security.stackexchange.com/q/3219/971. See also http://security.stackexchange.com/q/8882/971 and http://security.stackexchange.com/q/64789/971 and http://security.stackexchange.com/q/9570/971 and http://security.stackexchange.com/q/5594/971. – D.W. Jul 25 '16 at 21:52

4 Answers4

8

You can try getting CERT involved. https://vulcoord.cert.org/VulReport/

We are more likely to accept reports if they:

  • are technically accurate, sufficiently detailed, and reasonably complete
  • affect multiple vendors
  • impact safety or critical infrastructure
  • involve disagreement or dispute between reporters and vendors
  • involve hard-to-reach or unresponsive vendors
  • affect vendors or sectors that are new to software security and vulnerability disclosure
  • require reporter anonymity
Iraklis
  • 651
  • 4
  • 7
  • Yes, but the question asks how to *publicly* disclose the vulnerability. CERT doesn't publicly disclose the vulnerability. If the developer has decided not to act on it, CERT might not be terribly helpful. – D.W. Jul 25 '16 at 20:14
  • 1
    Some vendors get scared and reevaluate the situation when they are contacted by acronyms with official logos, rather than a random internet person (not trying to have a go at the op!) – Iraklis Jul 25 '16 at 20:52
4

The vulnerability may exist due to negligence, ignorance or limited resources. The owners get to decide when and how to solve the problem. The decision is their responsibility, not yours.

  1. Take an extra step to disclose your proof of vulnerability to the owners of the site.
    (i.e. verify they are receiving your communications)

  2. If you do not get a satisfactory response, pass this information on to their boss.
    (higher rank in company, or parent company)

As others have said, be courteous and professional. This will help you to gain credibility. You should start with a simple human explanation (just the facts), and in the same email you should include the technical details. (so the company can verify your findings before reply)

If all avenues fail, I would encourage you to pass the evidence on to the responsible public service (one poster suggested CERT), however I am not experienced in this.

You should not disclose the vulnerability publicly.

  • This may lead to a successful attack by individual(s) with poor intention.
  • In many jurisdictions, there are legal consequences that companies can impose on individuals in your position.
  • Such publication can promote a poor balance of responsibility between the attacker and the defender.

I concede that there may be cases where it is right to publicly disclose a vulnerability, but I would highly suggest you defer such responsible, careful, and unbiased handling to a public service that is more experienced in such matters.

700 Software
  • 13,897
  • 3
  • 53
  • 82
0

The last thing you should do is saying: Fix it, answer, or I'll publish your bug in a given amount of time.

What you should consider:

  • Make sure enough time passed
  • Contact them again, make sure your mail includes a PoC explaining the dangers and how to simulate etc. and also make a small video of you exploiting the bug.
  • Explicitly tell them you don't have bad intentions, and leave some personal info behind (mail-address, and name).
  • Give a deadline, say you're forced to publish the bug to public in a few weeks by the Responsible Disclosure Policy. Mention: the deadline is not for saying "then it should be fixed", it's for saying "by then you should start fixing it".
  • Talk about bug bounties/rewards on their next reply; don't push them.
  • Try calling and/or social-media they're using?
  • Be friendly, clear, and professional.
O'Niel
  • 2,760
  • 3
  • 18
  • 28
  • 9
    I get what you're trying to say (show that you're being open and honest), but if the exploit involves breaking the law (and it probably does), sending video evidence of you breaking that law along with your home address to someone who has already indicated (by their silence) they don't want to talk to you *might* not be the best idea. Please be careful :) –  Jul 25 '16 at 16:22
  • @drewbenn If you only exploit it on yourself if the users are targeted. Or only breach the security, but stay out of sensitive information. You have done it responsible; and I don't see why the owners would make a problem of it. Trying to do this all anonymous is even more risky. Because it's harder for them to trust someone they don't know. – O'Niel Jul 25 '16 at 20:03
  • 1
    @O'Niel this can still be illegal even though you did it "responsibly" and with good intention. – d0nut Jul 25 '16 at 20:26
-1

If this is internal to your company or somehow connected to you, document everything and correspondence. Pass the responsibly upwards and deliver the information to superiors or governing body.

Tom V
  • 1
  • 1