

Ask HN:  How should I publicly disclose a vulnerability without hurting users? - azelfrath

I don't want to mention names right now or go into too much detail, but I have found a vulnerability in an open-source application that could be exploited to financially damage those who run it.  I have tested this myself under various setups and confirmed that it works.<p>I contacted the developers about the issue, including versions affected, the exploit, and the fix.  Within 5 minutes, I had a response saying, in effect that they "cannot be responsible for the user not knowing".<p>I'd submit a fix myself, but there's no place to do so.  It's an open-source app but you cannot commit publicly.  I want them to fix this because it's an extremely simple patch, and the potential damage resulting from an exploit would be crippling.<p>If I blog about it, or otherwise publicly post details, people could get hurt.  If I don't, the developers have no reason (or rather, motivation) to fix it.<p>Advice?
======
Natsu
The EFF has a nice FAQ on this that you might find useful:

[https://www.eff.org/issues/coders/vulnerability-reporting-
fa...](https://www.eff.org/issues/coders/vulnerability-reporting-faq)

------
cpt1138
By hurt I assume you mean financially and not that anyone will be physically
harmed. If you've done due diligence by contacting the developers I think you
have a responsibility to make it known what you have found so that others can
put pressure on to fix it. Just my .02

~~~
azelfrath
<sarcasm> Actually yes, physically. The bug is in a beta version of Skynet.
</sarcasm>

I tend to agree with you, and that's what my heart is telling me, but aren't
there legal issues involved? I seem to recall the standard being something
like "Wait 30 days after informing", but if they outright refuse to fix it
before then and they say so, am I able to be sued for damages if I disclose?

------
ALBsharah
Maybe a logical "2nd step" for you would be to disclose that you've found a
substantial bug that could "financially harm users" if exploited...but don't
actually share the exploit. Post that you've contacted the developers as of
<date> and will give them X-days to resolve the issue.

Now, as for that final step...that's up to you. Not sure the legal
ramifications for sharing the exploit, or frankly, what the benefit to the
community would be. I think your goal should be to put pressure on the
developers, but not to actually expose the threat. If they never get around to
fixing it, you've just potentially screwed the community (not to mention those
that might never see the update).

