Why is Vulnerability disclosure so difficult?

We purchased security vulnerabilities as part of our SSD program from a researcher who has conducted extensive audit on a popular bulletin board system, IPB. For those not familiar with it, it is a good product, quite common, and well supported by a commercial company called Invision Power. The audit revealed a few high risk issues in the program allowing remote attackers to gain access to entries found in the database with minimal requirements on the attacker’s side.

After verifying the issue we contacted the company in several ways, emailing several addresses, but failed to “reach” anyone. We received several automated responses, and even our inquiry to their sales emails, returned nothing, are we missing something?

From their site it is apparent that support is provided only to paying customers, fair enough, but I am not a customer, I am trying to help them. I am willing to give them the security researcher we paid for, for FREE, yes free, they aren’t asked to pay anything for the vulnerabilities discovered, they are only asked to fix them, which will benefit them for sure.

If anyone has an idea how we could reach Invision Power’s guys/developers, please feel free to contact me at noamr[at]beyondsecurity.com.

  • http://www.spywareinfoforum.com Coly Moore

    There are some IPB staff on Twitter – @rikkitissier @joshdw1 @charleswarner @mattmecham @bdavie

    I posted about this in the IPB forum and they say “as for the report there… we did reply to it back in July. The person probably didn’t get our email. I have emailed them again. “

  • http://www.BeyondSecurity.com noam

    Thank you all for getting IPB to notice this post, and of course to get in touch with me regarding this vulnerability.

    I am now in contact with them and they should receive the full details on the vulnerability.

  • Mata Cheala

    This is bullshit!
    Fuck you and fuck IPB!

  • http://www.BeyondSecurity.com noam

    IPB were quick on the tail of this vulnerability and fixed it in less than 24hours from the time they received the reports, good work guys:

  • me

    Who cares? Post a weaponized PoC and let Allah sort it out.