

Ask HN: I have a zero day, what should I do? - jacksoncarter

I informed the company about this security hole many months ago. It is still open. Their customers are being affected.  I want them to fix it, but they won't fix it, maybe they can't.<p>What should I do?
======
cperciva
It's hard to offer advice without knowing more details, but I think it's good
that you're not providing many details in a public forum like this.

Some issues can be fixed quickly; others take a long time. The AWS signing bug
I found, for example, took over 6 months to fix, because Amazon had to create
a new signing scheme and then update a _lot_ of code to use it. Because of
this, I would hesitate to specify a hard expiry date; my usual approach is to
ask for periodic status reports and only "turn up the heat" if it sounds like
the issue isn't being taken seriously.

If they don't seem to be taking the issue seriously, there's two
possibilities: 1. They're not taking the issue seriously; 2. They didn't take
_you_ seriously and never actually looked at the issue. In either case, it
might be useful to work through someone who has experience in vulnerability
handling; myself and tptacek come to mind as people who could help here.

~~~
jacksoncarter
It is a very difficult problem to solve. I do know that. It's been about 9
months since I first informed them of the issue. I sent them source code that
illustrates an attack. Many of their customers are being affected right now,
by something. I can't prove that this is the mechanism behind the current wave
of attacks, though I can prove that this mechanism would allow a hacker to
compromise sites exactly as is being described by victims.

They did take me seriously. I believe they aren't fixing the problem because
they will have to rewrite a lot of their code, their customers will have to
rewrite code, and many will be forced to find another provider all together,
which means the solution has negative financial impacts.

Not solving it means negative financial impacts on their customers in lost
time to rebuild affected data. It's very well possible that malicious people
know about this and are using it right now to gather usernames and passwords
for later attacks. Hundreds, perhaps thousands, of databases may have been
siphoned off already.

How do you "turn up the heat" ?

~~~
cperciva
_How do you "turn up the heat" ?_

Start saying things like "if you don't start making progress on this, I'm
going to publish details". Contact Mitre and ask for a CVE #. Write to CERT,
CERT-FI, or NISCC and ask them to help you. Write a blog post about the issue
and send it to them saying "I'm going to put this online on Monday unless I
hear from you first".

Then put the blog post online on Wednesday.

EDIT: Also, try different communications channels. Sometimes a phone call is
far more effective than an email.

------
ig1
Sell it to TippingPoint (<http://www.zerodayinitiative.com/>) and let them
deal with it, having a major security company approach them will force them to
take it seriously.

------
sdrinf
Inform them that your obligation to approach a mutually convenient solution
discreetly is about to expire within 48-72 hours (depending on scope; your
call); after which you will disclose, and syndicate the security hole to the
public at large.

Inform them that you're dissatisfied by their manner of handling sensitive
customer data, and the hole might already have affected existing customers
without their knowledge.

And finally, inform them that should they be willing, but unable to provide a
fix in timely manner, I'm available for security consultation, and
implementation; e-mail me at sdrinf [at] gmail for a free initial consultation
;)

------
tptacek
If you're still wondering about this, contact me directly (my info's in my
profile).

My advice would be not to try to sell it.

------
csmeder
Sorry, kind of off topic but IF I am to trust wikipedia, wouldn't this not be
called a zero day. It would be called a 9 month?

"The term derives from the age of the exploit. When a developer becomes aware
of a security hole, there is a race to close it before attackers discover it
or the vulnerability becomes public. A "zero day" attack occurs on or before
the first or "zeroth" day of developer awareness, meaning the developer has
not had any opportunity to distribute a security fix to users of the
software."

-<http://en.wikipedia.org/wiki/Zero-day_attack>

~~~
ashearer
It would be a zero-day if exploits had already started at the time of
discovery. The OP implies that attacks are already underway, possibly
predating the discovery, but doesn't mention having solid proof of that.

------
loupgarou21
Talk to the company. Find out why they haven't fixed the issue. Talk to an
actual engineer at the company. Maybe they are working on it but are having a
hard time resolving the issue properly.

------
frossie
Is this company an employer, or a business partner, or is it just some random
company that we are talking about?

~~~
jacksoncarter
I am one of their customers. I believe I have been affected by this issue in
the past.

~~~
frossie
Good grief. Take up the offer of the HNers that have replied to you offering
to front the issue for you.

