> Alas, all reasonable measures were exhausted without response, I loaded the data into Have I Been Pwned (HIBP) and then they took notice
Every single time. They don't really care about users, their safety and privacy. They care about legal liability and not looking foolish in public. It seriously makes me wish people would just publish vulnerabilities straight up complete with exploit source code so they'd have literally no choice but to care.
> After I shopped a few other companies to see how our plans compared
Yeah once you start using a vulnerability maliciously to obtain confidential data for your own personal gain, even if its a stupid vulnerability, you're not really good-guy security researcher anymore.
If all you did was the bare minimum to demonstrate the vuln exists, that's cool. If after you do that you continue to use it to obtain confidential info for your own gain or curiosity, that's not so cool.
> Perhaps it's more difficult to hold yourself accountable than it is to assume that others who've found your shoddy work are malicious actors.
You literally just admited to being a malicious actor in the paragraph above.
>The attack made the code throw and exception and some of my escaping characters caused havoc with their error logger
Heh, something similar happened to me during a recent audit. I didn't even know until an admin emailed me saying that I'd broken a bunch of batched jobs, and not to test that until it was fixed.
>A generic, flimsy, non-personal "everyone can try and 'hack' us and it's OK" policy published somewhere is just too little protection
It hasn't worked out too badly for me. I stay away from industries with lots of "suits" (banking, etc,) but if a company is implicitly encouraging independent pentesting by publicly crediting reporters, and you act in good faith, I can't see any charges sticking.
I don't get how there seems to be absolutely no human side to these cases.
Guy discovers critical vulnerability and could have completely fucked the company over. Instead he responsibly reports it, and he gets back a big fuck you. How can you possibly think that's fair? The fact that it's out of scope only means they should give him an out of scope reward - much higher!
Saying he could have not checked the credentials is a bit silly, because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
And isn't the entire point in bug bounties to encourage pen testers to explore your system? Sure, you don't really want them poking around your source control, but better that than black hats.
All of the above aside. They really couldn't spare $500 for someone who could have caused $millions of damage?
> When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
> In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
Yikes. Sounds like they either didn't dig deep enough to see if it was exploited or they don't keep records long enough to be sure.
"I thought about writing an email to these people, let them know about the vulnerabilities in their code, and the bad practices they have, but I didn’t at this point. I felt like I was able to find more things regarding this company."
Oof, that's bad behavior. I wouldn't be proudly blogging about this.
> not let your anger cause you to do something stupid
Note: I didn't say that I would do this for every company. Just ones that use HackerOne. They have decided to abdicate their responsibility for their security vunerability reporting, and I feel completely justified in dumping info on their vulnerabilities.
Releasing the details of a vulnerability is not stupid. The users of the software/service deserve to know the data/service they're using is unsafe when a vendor refuses to act on a valid security issue
>If you disclose a vulnerability, the company HAS EVERY RIGHT to sue you.
You don't need the right to file a lawsuit to file a lawsuit. You just file the lawsuit. Now, you need an actual, actionable claim to prevail a a plaintiff in a lawsuit. Whether such a thing exists in practice is something we leave to lawyers to argue about and judges/juries to decide.
If your company is in a competitive industry and I release the details of a vunerability in your software and you sue me then that vulnerability and lawsuit becomes marketing item number one for all of your competitors.
>this is why these bug bounties and established ways of notifying the company of the vulnerabilities exists
Arguably why they exist. In reality, they tend to exist to give people an incentive to not dump the vuln details on the black market, embargo bugs so customers don't leave, and attempt to maintain a good relationship with security researchers. They do not grant immunity from being sued or somehow grant the legal right for security researchers to do their work as your comment seems to indicate.
Your post reads like propaganda from a bug bounty organization. I'm not saying that you're shilling, just that you're misinformed. In the US it is generally legal to conduct security research. In the US it is legal to communicate the results of that research publicly so long as you have not agreed in some contract to not do so.
Where did you get the idea that legitimate security research is a crime?
>Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report. Most likely I’ll be banned at H1 because of it, but it won't make me upset.
This seems pretty scammy of HackerOne and does nothing but hurt security. Either something is an issue and should be paid for, or it's not an issue and disclosure is fine. They're trying to have it both ways and trying to strong arm researchers into keeping quiet.
> Don't they have any sort of vulnerability assessment or security code review?
I haven’t seen any evidence that they do. The last time I brought up their history of bad security practices on HN, one of their co-founders decided that the correct course of action was to come on here, accuse me of being a bad actor, and repeatedly make up quotes I didn’t say.[0] All because I tried to warn others in the community that something just like this was likely to happen again. And now it has. So, you know.
>If you contact them, you can at least give them time to patch the flaw for software, or time to start producing a new line of locks in this case.
Will I be paid for the effort? Or am I expected to give them information for free when they would never do the same for me? Ethics is a two way street and after superfish (among other issues) I owe this company no ethical obligations.
>If you release it to the world before they're even aware of it, there's a gap where there is absolutely no mitigation whatsoever.
Quite a convenient way to blame me for their security flaw in their product. No, this is solely on them, and as I already pointed out, they have aready burned up any professional ethical obligations.
> If I find a serious issue that's still unpatched and someone tells me "Ops it's a duplicate sorry!" I'm still going to ask for payment. If I don't get it, it's a given that I'm going public.
Probably because I think what you've just described could be viewed as extortion, which is illegal in many locations? Also, it doesn't really do you any favors, I think. You'll get a week or less of recognition as finding an exploit, and then the story will come out how you both sniped someone else's find and possibly caused damage on purpose for your five minutes of fame.
To be clear, it's the initial monetary request and actions because it was denied that makes this entirely mercenary and would not reflect well on you. You were obviously willing to sit on the exploit for a while for some cash, so you no longer have any moral arguments to rely on for your behavior if you release it immediately, and the fact that it's not original just makes it worse. I imagine your reputation for security matters might never recover.
There are ways to get the moral defense back, but it requires waiting a while to see if it actually gets fixed and not taking it public immediately (so it actually is for their unresponsiveness and not just because they didn't pay).
> Unfortunately, this is, in fact, the second time I have discovered this exact vulnerability. The first time, the issue was reported and fixed, but after finding it again, I can see that simply reporting the issue was a mistake.
I feel uncomfortable with this. The author already reported a vulnerability, it was fixed, but now there's a new one (which is identical, ok, but new nevertheless), so he decided they didn't study their lesson, and punish them with public shaming? I'd maybe get it if the first time was ignored, but like this? Nah ah.
It's like my worse teachers coming back to hunt me as an adult.
> I'm the security researcher in question (and author of this post). What a company does when pressured by their customer base and what they do when no pressures exist are two very, very different things
Totally agreed.
> Had I approached them with these vulnerabilities ahead of time, it's highly likely that they would have used their considerable cash reserves to strong-arm me legally into not releasing this data, and the issue would not have been resolved.
I guess we'll never know will we?
Edit: To be fair, I don't have a stake in this either way, and I'm glad the end result is that they're taking the threat seriously.
> Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles
I just got the email notification from HIBP (Have I Been Pwned) a few minutes ago [1], but I am not worried about the compromised data because 1) my personal email address, job title and phone number are all visible in my resume which is publicly available in my website, I actually encourage people —mostly tech recruiters— to download the PDF and contact me via email or phone all the time and 2) my physical address is irrelevant because I have been moving houses every year for the last seven (7) years (even across countries a couple of times. All the social media accounts I have are completely empty, I just keep them around to get a hold on to my nickname.
I recently found, in my website’s HTTP logs, several requests from a web crawler controlled by ZoomInfo [3] an American subscription-based software as a service (SaaS) company that sells access to its database of information about business people and companies to sales, marketing and recruiting professionals. I was going to configure my firewall to block these requests but then I remembered —hey! my website only has information I am comfortable sharing, so it doesn’t matter— but I’ve been thinking it is just a matter of time before someone hacks one of their systems and leaks their database.
In my previous-previous job I found a fairly simple (persistent) XSS vulnerability in BambooHR that allowed non-authorized users to access data from all employees registered in the website including Social Security Numbers (SSN). I told my boss and we immediately edited everything before migrating to a different system. We never knew if BambooHR fixed the vulnerabilities and I wouldn’t be surprised if the data was leaked before or after I found the security hole.
Software security is such a Whac-A-Mole game, even if you get the budget to conduct security audits on your code, there is always going to be a weak link somewhere in the chain and that will be your doom. This is one of the many reasons why I left that job as a Security Engineer, the other reasons were Meltdown [3] and Spectre [4] they both made me realize I was fighting for a lost cause.
> Somehow my doing work on my own time creates an obligation for me to do more work on behalf of others.
To some small extent, yes, though how much work is up for debate. Maintainer's email and PGP public key is right there on the website? Yeah, I think you're obligated. No email you can find, no way to contact them, or are just outright hostile? No, I think you shouldn't have to deal with that.
But I feel like you agree with that, though maybe not in those exact words. After all, you've had to jump through all kinds of hoops to disclose vulnerabilities, been threatened with lawsuits for doing the right thing, and yet you still practice responsible disclosure in almost every case in spite of the burden of effort and potential risk. Aren't you doing it because you think disclosure is the right think to do? That's all I mean by obligation.
EDIT: sorry, not "responsible disclosure," "cooperative disclosure" or whatever term you want to use for disclosing the vulnerability to the maintainer.
> However, I refuse to give any company credit for waking up their support team only when a scathing article about them frontpages on Hacker News. I told them I wouldn’t publish a positive follow-up unless they also convinced me that the support experience had been fixed for the typical user as well.
You are a gem and I wish more people were like you.
> How many more times must threads like this be posted to HN before we DEMAND action be taken?
I completely agree with you, but do realize that the majority of hacker newses are coders (not even programmers) who would never take responsibility for their shoddy work. Heavens forbid they, or their management, be held personally liable for their mistakes. They won't even call defects, "defects"--they're just "bugs"! Whoopsies!
What could they be hiding in all that proprietary code--incompetence, malice, or both?
>2024-03-07: Tried to find information how a vulnerability can be reported to Ariane Systems. The vendor does not use security.txt nor a DNS TXT record for security contact lookup. There is no information on the website how to contact the product security team. Therefore, Pentagrid initially contacted Ariane Systems via support@ariane.com.
Ugh. I've been in a similar scenario and had to report a security bug via the normal support channel for a fairly large-sized company. Never again. It was significantly more work to get the bug in front of someone who understood it and could do something about it than it was developing the exploit in the first place.
After a certain company size it should be a legal requirement to have a dedicated security contact listed somewhere.
Now, after a few good faith attempts to get an exploit in front of the appropriate person at a company, I just forget it. I'm sure there are people in similar situations who, after a few attempts to report to the company, end up selling the exploit rather than forgetting it.
> After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to have fixed all issues. However multiple vulnerabilities we reported still exist...
its a bit unfair to imply they engaged in some kind of irresponsible disclosure, they haven't disclosed any of the exploits.
Every single time. They don't really care about users, their safety and privacy. They care about legal liability and not looking foolish in public. It seriously makes me wish people would just publish vulnerabilities straight up complete with exploit source code so they'd have literally no choice but to care.
reply