This isn't directly related to the article, but does anyone know of any good resources or best practices on how to report a vulnerability?
A few days ago I discovered a pretty major vulnerability on a certain website, but security isn't the focus of my day job and I wasn't sure where to begin and what to keep in mind. The author of this article had some problems with the disclosure process; maybe there are best practices that could avoid these.
I found the OWASP cheat sheet [0] really useful, but other than that, I didn't find too many other relevant resources.
The vulnerability I reported has now been fixed, but I'm still pondering whether to publish the details or if it would just stir up unnecessary trouble. So it would be good to have resources that will help inform my decision.
I think a lot of people who want to report vulnerabilities probably feel like they don't know what they're doing, and they probably don't feel very well supported through the disclosure process. At least, that's my experience.
I would think any general contact form that merely opens the conversation would be reasonable (mailto:hello@example.com?subject=how+to+contact+your+security+team) as would checking the major bounty websites for a listing -- not that you would be shopping for the bounty, but because that's where a receptive audience would already be listening for such reports
As for whether to publish a fixed vuln, I would guess that boils down to whether you value the blog traffic and any commentary enough to wade into that. In my mental model, so long as your research was your own, then you generated that content and have every right to talk about it, perhaps even inspiring other non-traditional security researchers to try their hand, too
A few days ago I discovered a pretty major vulnerability on a certain website, but security isn't the focus of my day job and I wasn't sure where to begin and what to keep in mind. The author of this article had some problems with the disclosure process; maybe there are best practices that could avoid these.
I found the OWASP cheat sheet [0] really useful, but other than that, I didn't find too many other relevant resources.
The vulnerability I reported has now been fixed, but I'm still pondering whether to publish the details or if it would just stir up unnecessary trouble. So it would be good to have resources that will help inform my decision.
I think a lot of people who want to report vulnerabilities probably feel like they don't know what they're doing, and they probably don't feel very well supported through the disclosure process. At least, that's my experience.
[0] https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability...