this post was submitted on 22 Aug 2024

311 points (99.4% liked)

Cybersecurity - Memes

1964 readers

1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago

MODERATORS

[email protected]

Alphadef

311

Responsible disclosure (feddit.org)

submitted 2 months ago by [email protected] to c/[email protected]

17 comments fedilink hide all child comments

To be clear, not all companies are like this.

all 18 comments

sorted by: hot top controversial new old

[–] [email protected] 60 points 2 months ago (1 children)

Disclosure to the company is only half of responsible disclosure.

Report bug to company privately, and specify a date where the details will be made public. 90 days is a good starting point, but there is room for negotiation up or down depending on how complex the bug is (more complex = harder for someone else to discover = less urgency to patch) and how much impact there is (more impact = more risk if someone malicious discovers it = more urgency)
While you wait, apply for a CVE number and determine a CVSS score - this helps signal how critical the bug is
Once the company publishes a patch (or the embargo date is reached, which ever comes first), publish details of the research

The point of responsible disclosure is to balance the vendors need to have time to fix security bugs before the details are publicly known against the customers right to know that there are unpatched bugs so they can take measures to mitigate their risks. It isn't a free pass for vendors to never patch things

[–] [email protected] 46 points 2 months ago* (last edited 2 months ago) (2 children)

Not so in Germany, where you can be hit with charges by the company. In one famous case in 2021, the conservative party pressed charges against a data researcher, after she responsibly disclosed a massive data leak via their party app. After the court determined, that afromentioned data was insufficiently secured, those charges were dropped.

This proved to the tech-side in Germany, that responsible disclosure just harms yourself in the end and that German companies (and political parties) might as well go fuck themselves.

Edit: Grammar

[–] [email protected] 29 points 2 months ago

Man germany at the highest clown rating in the digital era.

[–] [email protected] 18 points 2 months ago

Somewhere in the HQ of the german conservative party

[–] [email protected] 57 points 2 months ago (5 children)

Disclosed responsibly

Received a Cease & Desist order with threat of litigation if released to the public

¯\_(ツ)_/¯

[–] [email protected] 17 points 2 months ago

No good deed goes unpunished

[–] [email protected] 14 points 2 months ago (1 children)

Sure would be a shame if it was leaked anonymously online...

[–] [email protected] 6 points 2 months ago (1 children)

Unfortunately this is a product not many care for nor know about, and I had a personal working relationship with this vendor, so even if it were “leaked anonymously” they could point back at me and make things a living hell.

At this point it’s been almost five years. They made their stance known. The exploit isn’t one that can be done completely remote without some internal knowledge to the setup of the equipment. It’s old news and they’re better off fading away in obscurity. I just won’t bother to try helping them make their products better and more secure.

[–] [email protected] 3 points 2 months ago* (last edited 2 months ago)

If it makes you feel any better, you're not alone. Would be a few more hoops to jump through to connect it to me, but as far as I know my company is the only customer left using this particular piece of software. The vebdor let go all their support staff and devs for it over a year ago. It's also highly likely that my company has a significantly customized version of this software.

Files shipped with the client install include functions to not only encrypt passwords (expected) but to decrypt them as well. If anyone got into the users table of the db it's all over.

Edit: Also to be fair, I don't truly know if this would be considered a problem. If someone has the users table you're probably fucked in a lot of other ways too.

[–] [email protected] 9 points 2 months ago* (last edited 2 months ago)

It's very responsible of you to be thinking of the poor corporation; they needed a hand from a hardworking volunteer like yourself and you did the responsible thing and made their lives easier. Hurray!

[–] [email protected] 4 points 2 months ago

Release the vulnerability to the dark net.

[–] [email protected] 21 points 2 months ago

we acknowledge this is a zero day threat and is being actively exploited but we don't see the need to release an out of bad patch.
This exploit will be resolved on our next patch ETA next month.

Looking at you non specific firewall vendor.

[–] [email protected] 13 points 2 months ago (2 children)

At least you're reporting legit vulnerabilities. Meanwhile I'm over here swarmed by "vulnerability reports" about SPF for a fukken subdomain that never gets used for email, and has it configured correctly already 😑

[–] [email protected] 11 points 2 months ago* (last edited 2 months ago) (1 children)

You should look up Beg Bounties by the guy that does haveibeenpwned

Edit: here it is for others to see

https://www.troyhunt.com/beg-bounties/

[–] [email protected] 6 points 2 months ago

I've not heard of it, I'll check it out!

[–] [email protected] 5 points 2 months ago

I have reported a few vulnerabilities in the last years, but sometimes it is hard to judge whether or not it is a real vulnerability or just a minor bug.

But I'd rather report one bug too much than keep silent about it.

[–] [email protected] 7 points 2 months ago

Then people wonder why it just gets leaked online.