Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Responsible disclosure- Its a pain

Options
  • 19-03-2012 1:36am
    #1
    JimmyCrackCorn
    Registered Users Posts: 1,691 ✭✭✭


    Hi,

    Over the years iv sent a few emails to disclose security holes in both products I worked on and also produces i bump into and take a small poke at.

    Its always been weird, I have had results like
    1. Your being melodramatic its a one line fix you should fix them (I found 4/5 game ending bugs in there product)
    2. Email disappearing into a black hole
    3. Fix the issue but leave the same bug in every other area of the product.
    4. To the scary threat
    I just contacted a company ten minutes ago with another mail to say id like to diclose a security issue with there product can I please discusses this with somene responsible for application security.

    Anyone have a better approach or better results id settle for a "thanks".


    NOTE: Lets keeep it in the rules, frendly and not get me a kicking for the other mods. Remember we cant discuss legals


Comments

  • Options
    #2
    pacquiao
    Closed Accounts Posts: 465 ✭✭pacquiao


    Perhaps next time you will let them find out the hard way.


  • Options
    #3
    900913
    Registered Users Posts: 367 ✭✭900913


    The guidelines for responsible disclosure are here:
    http://www.wiretrip.net/p/libwhisker.html

    In my experience the smaller sites are more grateful of the info than the larger sites.

    I've reported 2 sqli's to https://www.facebook.com/whitehat (There responsible disclosure page).

    You can setup test accounts for testing exploits.
    About Test Accounts
    Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing.
    Limitations

    Can interact with other test accounts, but not with real accounts
    Are exempt from Facebook spam or fake account detection systems
    Can't like Facebook pages or post to a page's Wall
    Can't be converted to a real user account

    https://www.facebook.com/whitehat/accounts/


  • Options
    #4
    ifah
    Registered Users Posts: 576 ✭✭✭ifah


    I normally contact the site owner directly - explain who I am, how I found their vulnerability and suggest possible fixes. All to a man have been very thankful - the web developers are a different story. I'm been verbally abused over phone by web devs after pointing out flaws to them.


  • Options
    #5
    ironclaw
    Registered Users Posts: 8,004 ✭✭✭ironclaw


    I was literally about to ask the same thing this morning. How does one go about pointing out a flaw without becoming liable? I've found the odd SQLi and hash / authentication fails for a few different sites, but never reported them. Do you open yourself to being prosecuted? Even if you never damaged the site or exploited the flaw?


  • Options
    #6
    900913
    Registered Users Posts: 367 ✭✭900913


    ironclaw wrote: »
    I was literally about to ask the same thing this morning. How does one go about pointing out a flaw without becoming liable? I've found the odd SQLi and hash / authentication fails for a few different sites, but never reported them. Do you open yourself to being prosecuted? Even if you never damaged the site or exploited the flaw?


    It's a gray area cause if you find an Sqli and you do a @version)"
    technically you taking/stealing data from the database.

    Some site Admin's dont like there site being probed.

    If the good guy's can find the vulnerabilities then the bad guys can too.
    But the bad guys have malicious intentions!


  • Advertisement
  • Options
    #7
    ironclaw
    Registered Users Posts: 8,004 ✭✭✭ironclaw


    900913 wrote: »
    It's a gray area cause if you find an Sqli and you do a @version)"
    technically you taking/stealing data from the database.

    Some site Admin's dont like there site being probed.

    If the good guy's can find the vulnerabilities then the bad guys can too.
    But the bad guys have malicious intentions!

    Very true. Its a tough call because your intentions could be viewed in either light. What about hash fails or proxy / header changing?


  • Options
    #8
    JimmyCrackCorn
    Registered Users Posts: 1,691 ✭✭✭JimmyCrackCorn


    If a site admin doesn't notice you probing his site he is not too good at his job.

    I got a response back requesting further information on what I had found this time. I provided details and offered to help finding any further issues in a test environment and recommended the owasp testing framework as something to consider introducing to there test process.

    At least they are curious. Lets see what happens next.


  • Options
    #9
    CrinkElite
    Banned (with Prison Access) Posts: 890 ✭✭✭CrinkElite


    I'm curious. Is there any form of monetary reward for dong this kind of freelance investigation?


  • Options
    #10
    ironclaw
    Registered Users Posts: 8,004 ✭✭✭ironclaw


    CrinkElite wrote: »
    I'm curious. Is there any form of monetary reward for dong this kind of freelance investigation?

    Professionally and with permission, provided your very good, I've heard it's a decent earner. It's professional pen testing as an umbrella term. In the US there are a good few companies doing it, but they also have other interests such a forensics and physical security.


  • Options
    #11
    900913
    Registered Users Posts: 367 ✭✭900913


    Here's an example of what can go wrong with responsible disclosure.

    http://krebsonsecurity.com/2011/01/plentyoffish-com-hacked-blames-messenger/


  • Advertisement
  • Options
    #12
    900913
    Registered Users Posts: 367 ✭✭900913


    CrinkElite wrote: »
    I'm curious. Is there any form of monetary reward for dong this kind of freelance investigation?

    Link:
    http://computersecuritywithethicalhacking.blogspot.ie/2012/09/web-product-vulnerabilty-bug-bounty.html

    Link:
    http://www.ehackingnews.com/2012/12/list-of-bug-bounty-program-for.html


  • Options
    #13
    Khannie
    Moderators, Technology & Internet Moderators Posts: 37,485 Mod ✭✭✭✭Khannie


    ironclaw wrote: »
    Professionally and with permission, provided your very good, I've heard it's a decent earner.

    I can confirm this. In excess of 500 per day for a professional pentest + extra for the report afterwards. Work is probably not going to be terribly steady though.


  • Options
    #14
    ironclaw
    Registered Users Posts: 8,004 ✭✭✭ironclaw


    Khannie wrote: »
    Work is probably not going to be terribly steady though.

    Probably the biggest drawback by a long shot. You could augment that with seminars and briefings, but realistically you'd want to make a run at it in a big way to make it pay off. How many individuals / companies would reasonably pay for a day seminar? Very few I'd say.


Advertisement