How to report a Vulnerability?
Here is an email from one of the mailing list that i subscribe to. It is from Vikas Singhal and in it, he asks this question that I think is also a problem of Technews-ISAW/IHAW members:
Hi all,
Lets say I found a vulnerability in some company’s website ( e.g SQL Injection ) and that vulnerability is crucial to the company. How do I ethically report it to the Company and have credit for that?
Can I go and say “Hey! I found a vuln in your website with gives me the password back for any user” Or doing this kinda stuff is not ethical at all unless you make a SLA with the company before doing any your own pentest.
Can somebody give me any pointer in this direction.
Regards
Vikas Singhal
And here are some insightful comments from the same mailing list:
Hi Vikas,
Generally speaking it depends on the nature of the company and their
policy.Doing this stuff can be charged against you (Because the company did not
allow you to attack its website, no matter what you have discovered).You need to have an agreement or a contract with the company.
Best Regards,
Boaz Shunami
Comsec Consulting
Another comment from Barry Greene:
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1If there is no information on the Web site for reporting the vulnerability, then pick a CERT team, contact them, and get them to
help you contact that company. That covers you A$%^ and makes it easier to contact the company. There is a different between someone individual cold calling a vulnerability and someone like US CERT calling someone.My $.02.
And here is one that deals with the tricky issue of ‘reward’:
Rain Forest Puppy put out something that I thought represented a good start at coming out with a industry standard for this type of thing. However, at the time, I added a comment that it did not provide for any attempt to negotiate monetary compensation for the work or research. Compensation is a sticky wicket because it can be interpretted as extortion. However, any policy that does not deal with the issue or assumes that all security research is to be provided free of charge I fear is incomplete. I would
welcome some additions to an industry standard in that regard. I believe version two is not on his website here:http://www.wiretrip.net/rfp/policy.html
The fact remains that an accepted industry standard for dealing with vulnerabilities should be welcomed by all involved.
Bob Weiss
Password Crackers, Inc.
What do you think is appropriate? Me, if I owned the site, I would appreciate the info on vulnerabilities on my site. But that is my personal opinion. Not all people appreciate it in the same way.
Filed under: Computing, Security