Post AUXOR4ptCaS02RPee8 by BenAveling@infosec.exchange
(DIR) More posts by BenAveling@infosec.exchange
(DIR) Post #AUX0mWnC3dejvQqbke by mjg59@nondeterministic.computer
2023-04-11T04:37:53Z
0 likes, 0 repeats
What's the appropriate choice when you find a security vulnerability and the vendor's website tells you to submit to a bug bounty program whose terms prevent public disclosure without vendor approval?
(DIR) Post #AUX1nIDHqdUax7yt84 by mjg59@nondeterministic.computer
2023-04-11T04:44:47Z
0 likes, 0 repeats
Disclosing via the bounty program with an assertion that you'll disclose after 90 days /feels/ like it should be the right answer, but it's also a violation of the terms and risks you being kicked off the platform
(DIR) Post #AUX29jXavRFE4vBFOy by 990000@mstdn.social
2023-04-11T04:49:26Z
0 likes, 0 repeats
@mjg59 is it just that they fear they will not be able to patch it in time and everyone will know about it if it’s publicly shared? Seems reasonable to ask that of people esp if they pay, but it seems it’s ultimately your call. Not sure if it’s a matter of appropriate vs inappropriate. There is no right or wrong unless it’s clear that publicizing it is more important than what they think (or the money).
(DIR) Post #AUX2UdPauMuD9PP9rU by kilpatds@mastodon.social
2023-04-11T04:49:43Z
0 likes, 0 repeats
@mjg59 Mail the vuln to security@, and disclose after 90 days?
(DIR) Post #AUX2qZt2h8Y8aZdsZs by mjg59@nondeterministic.computer
2023-04-11T04:51:26Z
0 likes, 0 repeats
It's intensely frustrating that bounty platforms continue to allow this sort of thing - I had one case where a vendor accepted the issue, then left it unresolved for over two years and had terms that prevented disclosure. I ended up with a bounty of, uh, $0.
(DIR) Post #AUX31Kt6nhvFFvnqme by charlesdardaman@infosec.exchange
2023-04-11T04:51:38Z
0 likes, 0 repeats
@mjg59 email them directly and give notice that way you can actually enforce the 90 days which if you handle over a bug bounty platform you can’t
(DIR) Post #AUX3GrTBwaOAeQ5FaK by vambenepe@mastodon.social
2023-04-11T04:51:57Z
0 likes, 0 repeats
@mjg59 Use the vulnerability to take over the web site, update the terms of the bounty program, then submit to the bounty program.
(DIR) Post #AUX3ea1OT5CBUBOJyy by mjg59@nondeterministic.computer
2023-04-11T04:55:03Z
0 likes, 0 repeats
@charlesdardaman Some vendors explicitly assert that they only accept reports via their bounty program (which, I'll admit, seems like a "them" problem and not a "me" problem)
(DIR) Post #AUX3whlePISoiqfcUi by womble@infosec.exchange
2023-04-11T04:55:30Z
0 likes, 0 repeats
@mjg59 full-disc!
(DIR) Post #AUX57Dro18pd7u81I0 by bignose@fosstodon.org
2023-04-11T04:58:07Z
0 likes, 0 repeats
@mjg59 Screw their "agree to our terms" submission form. They don't get to hold anything on you, nor hold back community research and discussion of vulnerabilities.Submit to closest-approximation "technical contact" email address, noting that you'll publicly disclose after 90 days as is normal. Publicly disclose after 90 days.
(DIR) Post #AUX5XvCbWHqB3faUym by wohali@octodon.social
2023-04-11T05:04:30Z
0 likes, 0 repeats
@mjg59 disclose anonymously?
(DIR) Post #AUX5mfCXIGrvm8aLlg by quidity@infosec.exchange
2023-04-11T05:05:41Z
0 likes, 0 repeats
@mjg59 bounty black holes are bad but it really depends on how much a reporter needs the incentive vs how much they want to be the incentive they want to see in the world. I wouldn't judge anyone for picking any of the options - and the vendor should get a better disclosure program.
(DIR) Post #AUX6FhrCUwvQPVSF3Q by soatok@furry.engineer
2023-04-11T05:13:08Z
0 likes, 0 repeats
@mjg59 Having lived through this experience, I say disclose publicly through a pseudonymhttps://soatok.blog/2022/06/14/when-soatok-used-bugcrowd/
(DIR) Post #AUX6UPTf7DzVkbSJyy by jsmall@infosec.exchange
2023-04-11T05:31:02Z
0 likes, 0 repeats
@mjg59 I would say to be prepared for the fact that there is no possible action you can take that won't involve a vocal group of people deciding to blast about "irresponsible disclosure".
(DIR) Post #AUX6uu77pfCoIUY1Sa by ewenmcneill@cloudisland.nz
2023-04-11T05:39:44Z
0 likes, 0 repeats
@mjg59 assuming you value public disclosure over any bounty money, and want to try to do the right thing, I’d say set your own rules of engagement (eg as Google Project Zero did).Eg, mail security@ (and any other contacts you can find) N times over 90-120 days, keep records, publicly disclose after 90-120 days with dates of attempted contact. Refuse bounty programme if it is suggested.If they only will accept via the bounty programme they care about publicity control, not security.
(DIR) Post #AUXEgcQFbyMJ0VC0i8 by robryk@qoto.org
2023-04-11T07:13:36Z
0 likes, 0 repeats
@mjg59 Another option (I'm curious if it's obviously wrong for some reason I can't see): inform the company via snail mail and give a disclosure deadline in that mail.
(DIR) Post #AUXFVb6MHXepgBCG3s by mjg59@nondeterministic.computer
2023-04-11T07:21:25Z
0 likes, 0 repeats
@robryk I'm not paying to send a letter to Australia because someone else fucked up
(DIR) Post #AUXFv9NTysXZDzOIfQ by bigiain@aus.social
2023-04-11T07:23:51Z
0 likes, 1 repeats
@mjg59 I'd suggest option e "Submit via the bounty and have someone else disclose it after 90 days." (Thats if you care more about not burning your account on the bug bounty program and less about receiving credit for finding the vulnerability - otherwise I'd go Option 2 "Mail the vuln to security@ and hope" then disclose after 90 days if/when you don't hear back, perhaps negotiating to 120 or 180 days if they ask and sound like they're actually working on it and not just bullshitting you)
(DIR) Post #AUXJ3INggrsZKL3vdo by TonyYarusso@infosec.exchange
2023-04-11T07:59:57Z
0 likes, 0 repeats
@mjg59 Trying to force stupid terms on people should have consequences so they realize it’s stupid. Go ahead and disclose without notification, and include a statement that you wanted to use the bounty program and do responsible disclosure but their terms forbid it, so you had to just post instead.
(DIR) Post #AUXJbXTn3rD603FHOq by xnyhps@infosec.exchange
2023-04-11T08:08:23Z
0 likes, 0 repeats
@mjg59 To me this would depend on whether the vulnerability is in an online service. If it’s not, and so the CFAA (or local equivalent laws) safe-harbor guarantees aren’t relevant, I wouldn’t accept terms that prohibit public disclosure. If it is, it becomes a much harder question.
(DIR) Post #AUXLdytMJUSXVOUt4y by BenAveling@infosec.exchange
2023-04-11T08:31:39Z
0 likes, 0 repeats
@mjg59 All depends on what you want.To be paid: stick to bug bounty programs with a reputation for paying and comply with requirements.To have it fixed: email them, but also tell then you'll disclose in 90 days.If you think it's likely to be being exploited in the wild, and you want people to protect themselves: publicly disclose.Combinations of the above are also possible.e.g. Submit via the bug bounty program, but tell then that you reserve the right to withdraw the notification and disclose in 90 days.
(DIR) Post #AUXNqCR1zCGUtMCWWW by BenAveling@infosec.exchange
2023-04-11T08:55:20Z
0 likes, 0 repeats
@dysfun @mjg59 Zero payment is common. And if it's because "someone else already reported it", then fair, I guess. But if it's because: "we only pay out on bugs that we fix, even if they're real bugs", then that's not a program you'd want to care about being kicked out of.
(DIR) Post #AUXNqD5nXcsIvnH54C by mjg59@nondeterministic.computer
2023-04-11T08:56:17Z
0 likes, 0 repeats
@BenAveling @dysfun Being kicked out of Bugcrowd is rather more annoying than being kicked out of a specific vendor program
(DIR) Post #AUXO32P6anh5XtQE2C by mjg59@nondeterministic.computer
2023-04-11T08:57:22Z
0 likes, 0 repeats
@BenAveling @dysfun (The $0 in my case was presumably because it was classed as a P3, but the vendor acked it and said they could reproduce it)
(DIR) Post #AUXOR4ptCaS02RPee8 by BenAveling@infosec.exchange
2023-04-11T08:59:54Z
0 likes, 0 repeats
@mjg59 @dysfun It comes back to: are you trying to make a living out of this .vs. do you want to see bugs fixed. If you're trying to make a living - do what gets payouts. And if that means you need to comply with requirements + be careful which vendors you target, that's what earning a living is.
(DIR) Post #AUXOkhCGnisYVzEhM0 by BenAveling@infosec.exchange
2023-04-11T09:01:03Z
0 likes, 0 repeats
@mjg59 @dysfun A lot of vendors are more concerned about whether defects are known to their customers than they are about whether defects are known to the underground.
(DIR) Post #AUXPKaF28e95Msdp4K by mjg59@nondeterministic.computer
2023-04-11T09:04:35Z
0 likes, 0 repeats
@BenAveling @dysfun Oh I give no fucks about the money (it either goes to charity or collaborators) but if I get kicked off a platform it makes it harder to report vulns to other vendors using the same platform
(DIR) Post #AUXQqe8dHmIWfsV3mC by BenAveling@infosec.exchange
2023-04-11T09:29:35Z
0 likes, 0 repeats
@mjg59 @dysfun Then you're pretty stuck with the choices you listed:- submit via the program and adhere to its terms, or- email, then disclose after whatever period feels reasonable. Or doing things anon, which wouldn't sit right with me, and is anyways risky.You can always decide on a case by case basis which way to go.If you email, and they reply: please use the bug bounty program, you always have the option to reply "OK, if I can reserve the right to XYZ".
(DIR) Post #AUXdn7luSx4spKWRwe by 0xAlan@infosec.exchange
2023-04-11T11:54:16Z
0 likes, 0 repeats
@mjg59 your bug. Do it how you want it.
(DIR) Post #AUXiGeAzSudzXgaQpU by todb@infosec.exchange
2023-04-11T12:36:45Z
0 likes, 0 repeats
@mjg59 I voted for the “mail security@ and hope” but I can hope pretty aggressively. Imagine a polite and cordial way of saying “I want to tell you about this bug, and I don’t want your money. Do you want me to tell you directly, or do you want to learn about your vulnerability from a journalist instead?”Also press@, legal@ and any address mentioned in a privacy policy are good choices when you’re stuck.
(DIR) Post #AUXj6YGEhgv4Fpn3mC by stribika@cybervillains.com
2023-04-11T12:43:21Z
0 likes, 0 repeats
@mjg59 By accepting their terms you are signing up for way more trouble than you really need to. Especially if the vendor is known for such behavior, you might be better with public disclosure, with a cc to security@ if you are feeling "responsible".
(DIR) Post #AUY5uKCPSOKc768hEm by szbalint@x0r.be
2023-04-11T17:09:48Z
0 likes, 0 repeats
@mjg59 just disclose publicly with zero notice, or this shit will never stop.
(DIR) Post #AUY72GiwMUjDbchtvk by charlesdardaman@infosec.exchange
2023-04-11T17:22:44Z
0 likes, 0 repeats
@mjg59 yeah that’s 100% their problem if they won’t take the report you can still count down the days
(DIR) Post #AUYbnJcOPoqaolzhdQ by fidgetyhands@wandering.shop
2023-04-11T23:08:07Z
0 likes, 0 repeats
@mjg59 Have a security buddy who you tell before submitting, and then the buddy can disclose publicly later if the vendor hasn't fixed it within a reasonable amount of time?That might just take more steps to not work well, though.
(DIR) Post #AUYptLyjx1TNEbDivQ by grumpybozo@toad.social
2023-04-12T01:45:01Z
0 likes, 0 repeats
@mjg59 A platform designed to trap and kill issues but never resolve them isn’t *actually* a bug bounty platform.