
Ask HN: Found security flaws but vendor seems not to care. What should I do? - throwawayCBNaT9
I&#x27;ve found some web app vulnerabilities to some high profile services in my country, but the vendor doesn&#x27;t seem interested in fixing them as 6 months have passed and they claim to have other things to do, which, judging by the announcements on the main page, is finishing missing features.<p>The fixes to the flaws that allow for iterative exfiltriation of PII are <i>trivial</i> to implement as well. The others are simple reflected XSS&#x27;s.<p>What is the most appropriate course of action here?
======
SAI_Peregrinus
IMO, post to the Full Disclosure mailing list[1]. I'd do it anonymously if
worried about legal action, but sign the message with a new PGP key. That way
I can claim the discovery later if that becomes advisable.

[1] [http://seclists.org/fulldisclosure/](http://seclists.org/fulldisclosure/)

~~~
dogma1138
This is a very good way to end up paying damages or going to jail, please do
not post it to any public sources without seeking legal counsel.

~~~
dsacco
Assuming the lawyers are cautious and risk-averse (as they should be), their
counsel will be pretty predictable: don’t do it.

On the other hand, if we’re speaking just about doing it anyway, it’s
basically trivial to do this as the commenter described without ever being
caught. Publicly claiming the PGP signature later will obviously not be
trivial, but you can easily send one anonymous email without ever being
caught.

If someone wants to do this out of a sense of personal ethics, and doesn’t
mind restrictions on legally claiming it later on, I’d say go for it. An
anonymous email is not a high operational security bar to pass for someone
technically competent enough to find a security issue, especially if it’s only
once.

~~~
dogma1138
The PGP signature is a pretty bad idea if this goes criminal, and since
they've already reported the vulnerability via less than anonymous means they
can be tracked.

The correct way to handle it is to contact the relevant CERT team in your
country usually on a national or state level.

And if it's regulated industry or information (PII is) you can also contact
the relevant regulator.

Publishing a functional exploit that can be used to gain access to PII on an
open mailing list isn't just illegal it's also unethical.

This advice is quite indicative of anyone who never handled disclosures from
either side of the aisle.

You need to understand there could be good reasons why you might not get a
reply to a reported vulnerability, including the fact that the legal team and
or the authorities put a gag on it. You don't know what language was used in
the initial report and what information they've accessed. In many
jurisdictions especially in the EU you are actually required to report the
incident even if it's under a "bug bounty" program to the authorities if
regulated information has been exposed. They may allow you to handle it
through your BB program (but they also remind you that you'll be liable for
any mishaps in the handling of the incident) they may elect to tell you to
stop all contact and hand it over, your own legal department might say they
don't like the language used or some other things raised a red flag like "I've
downloaded your entire DB as a PoC"....

I really don't understand why people on HN elect to give such poor advice on a
subject that while unlikely but can go south really bad on a whim.

~~~
dsacco
_> The PGP signature is a pretty bad idea if this goes criminal, and since
they've already reported the vulnerability via less than anonymous means they
can be tracked._

No it isn’t. Make a new key-pair for the signature. This key-pair will also be
anonymous. Best of both worlds: still anonymous, but you keep the option to
positively claim it later.

The fact that they’ve spoken about it on HN somewhat deanonymizes them, sure,
but perhaps not meaningfully so yet. The OP needs to secure against a private
company’s security and legal teams, not a theoretically omniscient naion
state. If he used an alternate IP address for this throwaway, he’s still
basically fine.

 _> I really don't understand why people on HN elect to give such poor advice
on a subject that while unlikely but can go south really bad on a whim._

This isn’t poor advice. Speaking for myself, I choose to give this advice as a
security professional and someone who has had to make various disclosures,
both “responsible” and “full”, and of the latter, with and without the
cooperation of the company.

~~~
dogma1138
They've already contacted the company and reported the vulnerabilities, and
likely were much less anonymous in the process.

Generating PGP keys for future claim would require you to keep a copy of the
private key, this copy can be seized if a criminal investigation does happen.

>This isn’t poor advice. Speaking for myself, I choose to give this advice as
a security professional and someone who has had to make various disclosures,
both “responsible” and “full”, and of the latter, with and without the
cooperation of the company.

So have I and this is a poor advice, especially these days with some of the
regulation that is popping up. The line which differentiates between a paid
bounty or a PR piece on your website and criminal prosecution is how you
handle the situation the law applies identically to both there are no legal
provisions for doing unsolicited penetration testing because you say you're a
good guy, heck in the UK for example the exemption form that companies sign do
not actually exempt the individual tester from being prosecuted by the crown
it can only be used as a legal defense, in Germany the possession of "hacking
tools" is illegal without a cause, and there are tons of other nuances for
each and other country and jurisdiction in the world.

Telling people to just post stuff on seclists especially after already being
in contact with the company is a terrible idea, so while I do appreciate you
might have had different experience it doesn't mean you handled it correctly
nor does it mean you are giving a sage advice.

------
jdietrich
You're in the EU and the vulnerability affects PII, so I'd recommend informing
your country's Data Protection Authority of the risk.

If you make a public disclosure, you are at risk of being bullied by lawyers
at the very least. Handing the issue over to the regulators might be more or
less effective than making a public disclosure, but it should offer you some
protection against liability and legal threats. As I understand it, most EU
member states have some form of legislation to protect whistleblowers against
defamation suits.

[http://ec.europa.eu/justice/data-
protection/article-29/struc...](http://ec.europa.eu/justice/data-
protection/article-29/structure/data-protection-authorities/index_en.htm)

~~~
jackgolding
This is the best answer - after contacting the business with your real name I
wouldn't release any information about this to the public.

------
osullivj
Blog it! Vendors uniformly crave +ve blog coverage, and fear -ve coverage. If
you put together a blog post full of vendor and product names and tech detail
on the vulnerabilities, designed for high PageRank, you'll soon have their
attention. You'll probably tire very quickly of them begging you to remove or
edit the post. The PR saying "no such thing as negative publicity" doesn't
apply in our industry sector!

------
quantummkv
First, and this is very important, send them a new mail disclosing the
vulnerabilities that says in clear words that if you do not get a response on
this in a fixed number of days, you will go public with your disclosure. Send
that mail to everyone concerned in the org.

If you do not get a response, then go ahead and make a blog post about it. Be
sure to mention that you failed to get a response from the org in the post.

~~~
bb88
I would not put a blog post about it, since an injunction would be enough to
get it taken down.

I would email a security list since email is not retractable once sent.

~~~
quantummkv
If the service is publicly available to people, I doubt it would matter.
Vulnerabilities are disclosed daily for publicly available services. I
remember someone publicly disclosing the vulnerabilities in the Indian
government's Aadhar app, a public service, on twitter a few days back. I doubt
they took down his tweets.

If the service is not publicly available or is some kind of internal,
enterprise tool, then it would be a different matter.

------
thomersch_
Contact some organisation (e.g. EFF or Chaos Computer Club) which specialises
in that stuff in order to save yourself from being sued by the vendor.

------
jlbribeiro
Beware: I'm not a Lawyer.

Well, if you're in the EU then GDPR [1] will be enforceable from 25 May 2018,
so it is my noob understanding that the vendor you're dealing with will,
sooner or later, be the subject of regular periodic data protection audits and
will be forced to have a Data Protection Officer. Not sure if necessary, but
you may contact ENISA [2] to be advised on how to proceed.

[1]
[https://en.m.wikipedia.org/wiki/General_Data_Protection_Regu...](https://en.m.wikipedia.org/wiki/General_Data_Protection_Regulation)

[2]
[https://en.m.wikipedia.org/wiki/European_Union_Agency_for_Ne...](https://en.m.wikipedia.org/wiki/European_Union_Agency_for_Network_and_Information_Security)

------
dogma1138
Do not post it to any public resource you can go to jail for that.

Your course of action should be:

1) Understanding the legal framework in your country supporting the disclosure
of vulnerabilities.

2) Contacting your country’s CERT team or EUCert if you are in the EU.

------
8draco8
My chaotic good character says release it! Or at least write a blog post about
it, how it is exploitable etc. but either don't give the information about
company or preferably say who it is, proof that this can be done but don't
give any information how to do it. When it will get to general public the
company should realise that they're pants are on fire.

My solution is not the politically correct way of doing it but I think that
people who don't care about security should be punished

------
slazaro
Do they know any personal information about you from your exchanges so far? If
so, be careful because you might be liable if you disclose any
vulnerabilities.

~~~
throwawayCBNaT9
Thank you for the input. They do. I'm in the EU, are you aware of any issues
that I may face if I choose to disclose it?

~~~
TheRealPomax
This sounds like the kind of thing the EU has laws for, where a company is
legally mandated to fix vulnerabilities that may reveal personally
identifiable information if made aware of these. Worth asking someone who's
more of a lawyer than I am about that (since I am definitely not a lawyer).

------
dreambo
Go to the press. If the service is high profile enough, they'll be happy to
post about it, and that will get a response. Works in my country.

------
twobyfour
What makes you so sure fixes are trivial? Do you know what their code looks
like? How big their team is? What resources they have available to devote to
this? What their runway looks like? What pressures they're under from
investors?

In a legacy codebase, even the smallest change can introduce all sorts of
problems; and a small change to output or business logic can require
disproportionately large changes to code. They may simply have determined that
finishing the feature changes they think they need for their business to
survive is more important than protecting against exploits that they consider
either unlikely or low-value.

And how acceptable this is may depend in large part on what the service in
question is and how broadly it's used. The lack of concern you describe would
be totally unacceptable from a bank or even Twitter, but perhaps excusable (at
this stage) from an early stage company trying to build the _next_ Twitter.

------
alltakendamned
You have a few options but it's first and foremost important to understand
laws related to "hacking" in your country.

Your first option is simply to let it go. It might not be worth your time,
energy and risk to pursue this. Certainly if the vulnerabilities are not high
risk. You already did the right thing by notifying them. It's the company
choice to accept the risk of not fixing the vulnerabilities.

You can file the finding with your local CERT, they might be able/helpful to
coordinate.

You can go full disclosure with it, if you accept the risk the company might
sue you. Even if you're in the right, it might cost you a lot of time, money
and anxiety before the court says you are. See option 1.

Notification to the authority responsible for enforcing GDPR or local privacy
authority might be worthwhile, it depends.

Also, what kind of PII are we talking about?

------
deadmetheny
Release it, in order to force a fix. If they won't do their due diligence and
it's possible to exploit, nothing stops a malicious actor from taking
advantage if they discover it. In the case of public disclosure, it forces
them to acknowledge and fix the problem.

------
sdca
Sell it to the U.S. government

------
sp332
If you don't want to go "public" first, you could contact their customers
directly. Let them go after the vendor for a fix, and in the meantime they can
develop their own mitigations. Even if the vendor still doesn't cooperate, you
can delay going public until the high-profile users have protected themselves.

------
matt_the_bass
I’m curious why this post got flagged? It seems an appropriate question to me?

------
dboreham
What do you mean by "iterative exfiltriation"?

Does this mean PII can be extracted by an attacker one user at a time?

