Reporting Vulnerabilities is for the Brave

I came across this nice article: Reporting Vulnerabilities is for the Brave by Pascal Meunier. The article speaks about how frequently vulnerability researchers come face to face with the ugly side of disclosing vulnerabilities, such as in the case of Eric McCarty.

In my opinion this post is worth reading, however I don’t agree with his conclusion that it is better to keep quiet than tell anyone, as this is the same problem that allows (for example – though it is not for the same outcome) organized crime to still exist, or even more to find security issues that are “previously” unknown – or such as in the case of this article, unpublished due to fear of being sued by the vendor.

  • Matthew Murphy

    The article you cite seems to be very specific in referring to vulnerabilities in web sites. As far as production web sites, the legal minefield is much wider. I don’t believe that article was meant to discourage the reporting of software vulnerabilities, rather vulnerabilities in custom applications that were encountered by probing for vulnerabilities in others’ systems.

  • Sid

    I’ve only ever found two flaws in web sites that were closed source and custom made. For one I was treated like a fool until I provided proof (without requesting authorisation, I’m a well-meaning non-cautius student as Meunier puts it), then the problem was fixed according to the code I emailed. For the second issues they emailed saying thanks but have done nothing about it.
    I do think the flaws should be reported, but perhaps someone should set up something allowing it to be totally anonymous.

  • digi7al64

    Recently I have found 2 find major spoilts in popular web based software for 2 different companies that are both market leaders in there respective fields.

    Each allowed me to take entire control of the system with admin privileges (had i chosen to).

    A third system i compromised was a custom made application that served about 10000 unique users and contained sensitive and personally identifable information.

    All have been reported to the developers with no problems.

    Hence, the moral is don’t tell the company using the software, tell the people that developed it and point out how it might be fixed.

    I mean the world needs grey hat hackers to help other programmers secure there code and if they don’t won’t our help, then they should be prepared to compensate the people whos accounts and personal data they have allowed to be compromised.

  • Sid

    The problem is that often they don’t provide any contact details to contact the development team, only the support/PR section of the company. Also if the web site was made by a third party (or even someone on rentACoder) then they may simply not care.

    That is still a good and valid point though, where possible report straight to the developers.