
Adventures in vulnerability reporting - el_duderino
https://googleprojectzero.blogspot.com/2018/08/adventures-in-vulnerability-reporting.html
======
lawl
When vendors are that annoying I usually just go full disclosure.

I found some privilege escalations on some small cloud providers though that
went as far as ignoring my mails to their listed security@.... e-mail, or
yeah, not having a contact listed at all.

Not quite sure what to do with those. Posting these to a full-disclosure list?
They're too small nobody's going to care, until someone does and steals
customer data. Might as well just ignore it until someone else discovers it
and steals customer data?

~~~
eat_veggies
HackerOne provides disclosure assistance [0] for uncooperative companies. Not
sure how they handle it from there.

[0] [https://hackerone.com/disclosure-
assistance](https://hackerone.com/disclosure-assistance)

~~~
greggman
Hackerone and some issues with it are brought up in the article.

------
red_admiral
Responsible disclosure is an unwritten agreement between two parties.

If I find a vulnerability in your system, and you don't go out of your way to
make it hard for me to report it, then I will send it to you first.

If you show some interest in fixing the vulnerability, I will hold off talking
about it for a while.

If a company doesn't do their part in making responsible disclosure possible,
I don't feel bound by it either. If it's anything big, I'd first report it to
the national authorities (CERT, NCSC, ICO if there's personal data involved).
Want me talking to you before I talk to the authorities and possibly a lawyer?
Provide me with a contact option that doesn't involve agreeing to a small
novel's worth of disclaimers.

------
voltagex_
FTA: "The difficulty I encountered reporting this serious vulnerability
delayed my report one week. It might have caused a longer delay if I did not
have contacts at Samsung who could help"

I haven't had to report anything too serious, but I've found this in most big
companies (including Google). It's seriously frustrating, but I wonder where
the balance is between being too hard to contact and opening the floodgates.

