Responsible Disclosure

I'm trying to figure out what everyone thinks about disclosing vulnerabilities responsibly. In particular I'm speaking about website/web or SaaS applications. I know that some of the more technically oriented companies like Twitter or Wordpress have email addresses that you can send any issues to...but what if the site is just your average SMB site? Most of them wouldn't know how to handle dealing with vulnerabilities in their own applications/site plus I feel like they might even think you are doing something malicious (or come after you legally).

Is it worth it to report bugs/vulnerabilities to these kinds of sites and if so, is there a good way to do it without legal ramifications?

I'm hoping that some of you who deal with security or pen tests have run into something like this before.

Find more posts tagged with

Comments

Paul Boz

I think it depends on how you come across it and what the nature of the vulnerability is. If its something you discovered in the regular course of using their website it wouldn't hurt to email them or call them just to let you know your observation. If you were basically pentesting them I probably wouldn't.

NightShade03

Paul Boz wrote: »

If you were basically pentesting them I probably wouldn't.

Since 99% of sites that have a "Terms of Service" pretty much clearly spell out you can't do anything illegal (hacking/pen testing) their site/app that would just be opening up the door for a lawsuit

But I see your point...

rwmidl

If you are that concerned, I guess you could just create a dummy email account, and email your findings to the site/company. Then just kill the account.

RobertKaucher

rwmidl wrote: »

If you are that concerned, I guess you could just create a dummy email account, and email your findings to the site/company. Then just kill the account.

And access it from an open wifi spot in another city? Certainly not from home...

veritas_libertas

RobertKaucher wrote: »

And access it from an open wifi spot in another city? Certainly not from home...

Exactly! Personally I would be afraid to say anything for fear I would be accused of pen-testing them.

NightShade03

veritas_libertas wrote: »

Exactly! Personally I would be afraid to say anything for fear I would be accused of pen-testing them.

Which I agree with, but is also pretty sad that in this day and age with all the exploits and attacks we have running around that people would find such offense in free advise and/or early warnings.

I feel like those that work for an actual security company (you know the ones with a marketing staff and resources to take on a litigation should it come to that), could ever actually help (or gain a new client...whatever comes first).

dynamik

You should always contact the vendor first and give them reasonable time to address the issue. If they do not comply in a timely manner, some people will publicly disclose the vulnerability to increase awareness and allow organizations to implement compensating controls to mitigate the risk of exploitation (if one person knows about it, others will also discover it if they haven't already). There is much debate regarding responsible disclosure, and there really is no right answer. You should definitely start with the vendor though.

You also need to ensure that no laws were broken in the process of discovering the vulnerability. There's a big difference between running a fuzzing lab and randomly attacking public servers. Few organizations will see that as helpful, and you will be opening the door for legal consequences that will likely ruin your career. ALWAYS have written permission before doing anything that could be construed as being malicious. If you notice something that seems out of place during normal use, bring it to their attention, but don't take things any further in an attempt to deliver a PoC.

Uncovering vulnerabilities is a unique art/science. It is usually a dedicated activity and is not something you typically come across while performing penetration tests. However, I would definitely report a vulnerability to an appropriate party if I were to ever discover one.

tiersten

What Paul and Dynamik said. If you discovered this during legitimate normal usage of their site then feel free to inform them. If you're just randomly testing sites then you may end up with some unwanted attention from the law.

And here I was thinking this was something to do with Dynamik flashing people...