6

I'd like advice on how and where to announce an XSS vulnerability (persistent XSS to be exact). My greatest fear is the announcement getting snowed under, thus rendering the disclosure ineffective in pressuring the organization to fix the vulnerability. After that, the vulnerability would just linger around, increasing chances a "black-hat" hacker would exploit it. That's the opposite of what I'm trying to accomplish.

I'm pretty far in the "responsible disclosure" process. I'm trying to behave very ethically here.

If it were a vulnerability in something as big as Facebook or Google or so, than this would be picked up quiete easily by security blogs I think, possibly even general tech press. This site is definitely more "second tier", which makes for less juicy news. Also, I don't feel like taking time to write an exploit (say: a worm, perhaps capturing user cookies along the way), which I assume would enhance the news-value. I'm actually surprised how much time I put into this already, somewhat "proving" that I care to myself. (never been in a like situation before)

I'm fully aware that this question is "subjective" (it's even be automatically detected as so), but I'm still gonna try my luck, 'cause I really could use some help here.

Note, I tagged this with "vulnerability-markets" because I think that this is somewhat related. I'm not looking to sell it though. I just want to see it fixed.

Thanks in advance. :)

Perhaps I should have made it more clear that as it stands now, I don't have much faith in the organization's desire to fix this vulnerability, without external pressure. That's why I'm exploring my options.

Anonymous
  • 61
  • 2
  • I found some great stuff on this here: http://security.stackexchange.com/questions/807/reporting-vulnerable-sites?rq=1 I did not catch that question in my earlier searches. – Anonymous Feb 18 '13 at 22:59

3 Answers3

8

You can Make a Responsible Disclosure with ZDI (Zero day Initiative), They are well known for their work and you have a good opportunity to earn some money depending on how strong exploits can be plotted upon the vulnerability you have found.

Many security experts submit CVE's to ZDI, Its legal and secured in case you are afraid of company to sue you.

They actually act as a mediator between you and the company and let company know about the vulnerability on your behalf.

Link to ZDI

Gufran
  • 223
  • 1
  • 6
  • I completely forgot about ZDI. Upps for a good link, +Gufran. – grauwulf Feb 18 '13 at 18:29
  • From ZDI's site: "Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers' intrusion prevention systems. By writing vulnerability filters for security issues that come in through the Zero Day Initiative, we can maintain a competitive edge while protecting our customers and encouraging security researchers to bring findings into the public domain." - seems a bit overkill when this is about just forgetting to apply "escape_html()" on some user input. Are they really interested in XSS? – Anonymous Feb 18 '13 at 22:23
  • 1
    Also, ZDI says: "No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch. " I don't see how the disclosure can help as a pressure to fix the vulnerability then. They could ignore ZDI just as well as they've ignored me up to now. I want - as Bruce Schneier says - to make the site owners' "PR problem more acute" http://www.schneier.com/blog/archives/2007/01/debating_full_d.html – Anonymous Feb 18 '13 at 22:45
4

Although the question can be seen as subjective (I agree with that and suspect that you will be flagged) there is a very objective answer: "ask the software owner how they would like disclosure managed." If they are a reputable organization they will have a formal disclosure procedure to follow, so follow it. In most cases this involves submitting a CVE report which, when approved, will be picked up and published to the relevant lists (MITRE, US Cert, etc.).

grauwulf
  • 955
  • 5
  • 10
  • 1
    Also protect yourself in case the company decides to go against you instead. Use Tor and setup an anonymous email account. – Matrix Feb 18 '13 at 17:54
  • +Matrix has a good point. It's a bit off topic but I would never provide a disclosure without a two party MOU in place. onion networks are great an all but if a company comes after me I don't want to hide. I want to humiliate them in a very public way :-) – grauwulf Feb 18 '13 at 17:58
  • I expect they don't have any procedures for this. They did not even have a dedicated security contact. When I asked, I just got referred to one of their developers. This developer in turn didn't seem particularly concerned. But then, I will certainly ask what they want to do. I just want to know what I'm going to do when they rather want to do nothing, so to say. They've been aware of the issue for over three weeks now. – Anonymous Feb 18 '13 at 22:13
1

Use the company's "about" page or "contact us" to reach out to the right person.

Also try emailing abuse@company.com, support@company.com, webmaster@company.com or postmaster@company.com

You could also check the company's whois page, or do an ARIN lookup and email that contact

makerofthings7
  • 50,488
  • 54
  • 253
  • 542