1

An appliance is suffering from "cryptographic bad practice"-class of problem, more details here. It would take quite some person-months to prove just for one firmware version if it can be exploited.

My questions are:
How can "bad practice"-class problems be reported without someone developing the exploit?
If you think it can be pushed through 1st level customer support, what arguments should be used?
"I think what you do is bad practice, please spend money fixing it, even though it may be harmless"

user185953
  • 80
  • 10
  • 5
    Have you tried sending them an email where you explain the problem? – Sjoerd Feb 18 '19 at 15:30
  • Have you tried sending an email that clearly spells out best practices, links to standards documents, and cites sources, that is thoroughly interspersed with profanity laden insults against the developers' and their managers' intelligence so that, while you guarantee that you won't get a reply, you also guarantee that the 1st level customer support person will say "Hey, direct supervisor, come look at this!"? – Ghedipunk Feb 18 '19 at 16:16
  • Yes, spelling out best practices is a good idea, but what would be a credible source to quote them from? I can't send them links to academic papers or anything similar. – user185953 Feb 19 '19 at 11:39

1 Answers1

1

I would start looking for a company email address that is provided so third parties can report vulnerabilities, e.g. security@, secure@, psirt@. Maybe Google the vendor's site and look for "responsible disclosure" or "vulnerabilities". If you find that address email them there. While it's not necessarily a vulnerability, if the vendor has something like that in place they're the best people to work with as they're likely understand the issue and have the proper contacts to get it fixed.

Failing that, you can always try front line Support. They probably won't understand the issue, but if they escalate to back line (or development, depending on how big the support org is) then hopefully it'll be recognized as an issue and fixed at some point.

Swashbuckler
  • 2,155
  • 8
  • 9
  • Good point. The person handing security@-or-alike is the most likely to understand the risks.The part that I am struggling with is finding a good phrasing or a credible source to quote. I doubt "I think what you do is bad practice, please spend money fixing it, even though it may be harmless" carries much weight – user185953 Feb 19 '19 at 11:47
  • @user185953 Re. "_please spend money fixing it_"... probably all you can realistically hope for (and perhaps, therefore ask for) is that they spend time investigating it. It might be an easy fix, if they're aware it's potentially an issue; it might be such a big change that they deem it not feasible/cost-effective (remembering almost all security decisions are a trade-off between the cost of a perceived threat and the cost to fix/contain the threat). As for evidence, either your linked question, or other Q&As here (e.g. https://security.stackexchange.com/q/1806/61744) should help. – TripeHound Feb 21 '19 at 16:18
  • @TripeHound "Unfortunately", it appears that [q/1806/61744](https://security.stackexchange.com/q/1806/61744) is not relevant. The embedded webserver does not advertise "RSA key-exchange", which I believe means, that the private key is never used for encryption. – user185953 Mar 06 '19 at 10:39