top | item 22867480

(no title)

tcd | 5 years ago

Just drop a line on twitter saying you've discovered a vulnerability in $popularSoftware and mention $company. Say you'll be disclosing in 90 days if $company doesn't issue a reply publicly.

Make sure to deal with an actual human and that everything is done according to best practice. You may even get publicity this way and even if it's unethical it can be sold or used to your advantage.

If they care, trust me when I say they will make an effort. Most places (like Google) have effective systems in place for dealing with such queries.

discuss

DyslexicAtheist|5 years ago

> even if it's unethical

it wouldn't even be unethical. responsible disclosure starts with engaging with company at eye-level. all that these bug bounty platforms do is take away exactly this power and allow the company to consolidate the contract to a single entity (e.g. preferred supplier). they deserve even less respect than any shady recruiter or typical outsourcing sweat-shop.

giving these people power is like talking to a cop without a lawyer - regardless of what they say, they don't have your interest in mind and you have lost before the game has even started.

vntok|5 years ago

> Say you'll be disclosing in 90 days if $company doesn't issue a reply publicly.

That's blackmail. An expedient way of getting your door breached.

thoraway1010|5 years ago

The idea that your would get a no knock forcible entry for disclosing a bug is appalling and potentially an indictment of our entire criminal justice system.

I'm assuming vntok's legal conclusion and claim of the type of law enforcement response is true (please do not make things up on hackernews).

In which case my former support for the police and low and order is SERIOUSLY diminished.

You have a non-violent offense, that is not an actual offense, and they are doing swat door breaches on you. wow! The priorities of these companies and law enforcement is backwards then.

I guess folks are being told to just sell it to a zero day vendor (which also happens to work for the same govt agency that will bust down your door if you disclose publicly). Pretty appalling behavior here!

kbenson|5 years ago

No, the disclosure is disconnected from payment, so it's not blackmail. Notifying companies is a courtesy, and considered good form. Companies offering rewards is to incentivize this behavior. Researchers releasing vulnerabilities after a time period no matter what is to incentivize companies to actually fix the problems (not just pay to shut up the researcher). Both are useful for a well functioning system of independent researchers finding vulnerabilities in companies that then get fixed.

Releasing the vulnerability because you weren't paid, regardless of whatever timelines you would have followed? That's blackmail. I imagine having a very clear and consistent policy as a researcher that is not based on money (but can be based on company participation and whether they seem like they are actually trying to fix the problem) will go a long way towards clearing you of any suspicion of blackmail.

balls187|5 years ago

In the US, Blackmail requires a benefit in exchange for not disclosing information.

A public reply isn't much of a benefit, and my understanding is that the vulnerabilities will be disclosed eventually within a reasonably limited timeframe.

hmage|5 years ago

Google Project Zero is doing exactly that -- disclosing them in 90 days no matter if they're fixed or not.

This kind of pressure is helpful, because otherwise stories of OP will be dominant and security problems will stay unpatched.

_jal|5 years ago

A lovely example of why one shouldn't take legal advice from message boards.

But I would say that if you're doing this sort of thing for the first time, I would strongly advise you to talk to a lawyer who knows this corner of the law, and to someone who has done this before.

Smarts do not substitute for experience and domain-specific knowledge.

gruez|5 years ago

That's similar to how project zero (by google) works. Exploits get released in 90 days unless the developers can provide a plausible justification why that deadline can't be reached.