Company culture matters! — LastPass support did not seem to have a culture or awareness of security. If this was embedded into all roles, then a support rep would have understood and escalated the matter.
Additionally, maybe there is no culture of escalating? Maybe customer support needs to “keep all tickets away from engineering?” If customer support cannot escalate this thread, what hope is this for team A to escalate a vulternability to team B?
With very little data, this all seems like cultural red flags.
Something that helps, in my experience, is what Colin Percival teaches: use the phrasing of "coordinated disclosure" , rather than "responsible disclosure".
This helps company staff understand that the disclosure and the bug are both happening, and the company can choose to coordinate or not, and there's no need to debate what's responsible or not.
Send a link that explains your position, and how the company can respond. Here's mine and feel free to use it...
Did this guy seriously try to reach the security team through the normal customer support channel that's probably automated with bots, and then judged the company according to that?
And that's after they do have a bug bounty program, and instead of speaking with bugcrowd who denied him, he decided to go through a channel that's clearly not meant to handle these kinds of issues.
This is just such a poor understanding of how companies work. If he just emailed a real person in the company he'd have a real chance of getting a real response.
Imagine judging a pizza company by how the pizza ordering hotline didn't take your vulnerability disclose. This sounds ridiculous. Now customer support is just like pizza ordering line.
If you want to contact a company on something they usually don't have a normal channel, you need to speak to the right people. Need to write a nice email, even if they don't have "security.txt", to some manager or someone else you could contact, and ask nicely who to contact further about it. And try more than one person.
If you're not a customer, do not go through customer support. It's the worst channel in every company because they need to serve bulk communication. And they see an incredible amount of shit from confused customers, so don't expect them to realize that there's something important going on.
And be nice. If you're acting like an asshole, you could have a million dollar issue and you won't get past customer support. They are asshole filter. They are meant to filter out all the assholes trying to reach the corporation. Their number 1 instinct is to block assholes. If you sound like trouble, it's literally their job to filter you.
You should read the linked blogposts about the "speaking with bugcrowd". (TL;DR: it took a few months and a minor social media shitstorm after they banned him for them to notice that their processes suck)
Attempting alternative contact paths in parallel is entirely valid.
> Need to write a nice email, even if they don't have "security.txt", to some manager or someone else you could contact
That's clearly what he did: contact those who he could contact. If the only contact info you publish is your support team, then your support them has to be able to handle everything people try to contact you about. So yes, it's an entirely valid expectation that the publicly provided contact for a security company can handle requests to please be directed to the security team. It's your choice as a company to not make your security team directly available, and your problem if people thus can't reach it.
You would probably have a better chance of escalating any issue with a mail to anyone that isn't customer support. If you're a security researcher, imagine customer support as this big human firewall to communicating with this corporation, meant to be extremely strict so the communication with the rest of the cooperation won't be flooded with all the things customers want.
If you're not understanding this properly and wasting time trying to contact someone through customer support, that's on you. Which company doesn't even matter.
> If you're not understanding this properly and wasting time trying to contact someone through customer support, that's on you. Which company doesn't even matter.
There really are plenty of companies where this would have worked fine; I'm reasonably confident contacting support@ for something like this at all places I've ever worked would have been escalated. Maybe with some back-and-forth for 1 or 2 messages, but not outright refusal.
One reason why I always try to have a good relationship with the support staff (including talking to them at company parties and the like) is so they're not afraid to "bother" me if they're not sure about something. Of course support shouldn't be bothering me with basic inane stuff, but as an organisation you can certainly foster different kind of cultures and attitudes.
That said, your chances of this working are usually proportional to the size of the organisation: the larger the organisation, the less chance you have. Still, LastPass isn't that large, and the support person does seem rather obtuse. I suspect that Soatok's style of communication didn't help with that, as it may have caused the bozo bit to flip for the support person. This in turn seemed to have caused Soatok's bozo bit to flip for the support person as well.
However, at the end of the day, it's primarily the company's responsibility they're contactable in a reasonable manner, and it's not "on you" if they're not. Having to e-stalk and contact random people who happen to work for LastPass is not reasonable.
I think it's more likely that they didn't know how to escalate it than I flipped the bozo bit.
I eschewed like 4 email exchanges that weren't that interesting that was me trying different ways to explain the problem and the specific action I needed them to take. They're very boring and tedious to read, because nothing moved forward at all.
If something I said did flip a bozo bit, it was either in the first contact (which I don't have a record of) or something I'm totally oblivious to, so I appreciate you calling that possibility out.
Right; I'm just going on what I'm reading in your post, which I assumed was the full thread.
Obviously I don't know what this "Melvin" person thinks or feels, but a number of things in your emails would elicit a "fuck you"-response for me. Even though your frustration might be understandable – I really hate dealing with this kind of stuff too – that's rarely helpful.
I don't know if you've ever done support work, but typically you need to deal with a lot of genuine assholes and unreasonable people, and people tend to contact support when something isn't working, so they're already more frustrated (i.e. angry) than average. So it's not surprising that in support people tend to get a bit more defensive than normal, and jump to conclusions faster. "Oh, another asshole".
And you need to answer n tickets every day, and response times are often monitored as well. You don't have time to carefully reflect and think about things for 10 minutes over a coffee. If someone on HN replies and my immediate feeling is "fuck you" I typically let it be, and maybe reply a few hours later, or the next day, or not at all. You don't really have this option in support.
There's also the art of "white lies" here. Instead of going on in detail on why Bugcrowd doesn't work just say there are technical issue with Bugcrowd or something like that. No need to explain they erroneously closed your report because "they shat the bed".
I'll translate your messages so you'll understand how you sound to customer support:
"I reported a security valley to LastPass’s bug boopy bopy.
Please ask your security team to look at the linked bug boopy bopy ticket. The teetee team shat the bed."
"Allow me to explain carefully.
I followed the steps in your security page, yes. I reported the issues I found to bowy.
However, bowy employees take it upon themselves to teetee issues on behalf of their customers.
In this case, the bowy employees shat the proverbial bed and incorrectly dismissed an issue I reported. Because the issue was closed as Not Applicable (erroneously), it’s unlikely that your security team will notice it without escalating some awareness of this teetee error to them.
So please pass that onto your security team so they’re aware to look in the Rejected tab."
"This is the order of operations so far:
I identified a coopy seesee-channny in the LastPass software.
I reported the issue to bowy with a detailed analysis and a patch for making the funky conta tammy like it was intended to be.
Several days after I reported it, a bowy employee stupidly went “no FOL expee? not applicable” and closed it erroneously.
I’ve contacted toto support with one goal in mind: To ensure your security team actually sees the report in spite of bowy closing it.
I don’t care about whether or not your team overrides their decision. I just have an ethical obligation to disclose security issues.
If this isn’t resolved by 5:00 PM Eastern today, I’m going to say “Fuck it” and go Full Disclosure.
Escalate. Tell me when you’ve escalated.
I don’t need your help beyond that."
"Thank you for escalating.
I don’t understand your question. I reevee egengi your software to study how it works, found a valley, and then reported it."
That's how you sound. All he could notice is that you have something with shitting in beds twice, and that you "Fuck it". I bet from confusion he asked his manager what to do and the manager replied that you are a phishing email, and he didn't even understand that.
If you do end up needing to talk to people who wouldn't understand you, explain nicely what are your credentials, don't shit in beds, and ask nicely to get direct contact with someone responsible who can understand you. Not broken telephone. Don't speak to people in gibberish to them.
And honestly, shitting in beds is an uncommon saying and universally gross. Keep that shit to yourself.
You're trying to communicate professionally, not be that barking dog shitting in beds. It's not the world's fault they can't take that seriously. It is your choice. Your words. Your image and communication isn't there to serve your internal identity, it's there so that people will respect you and take you seriously.
I couldn't care less how you present yourself, but I assumed you're at least not oblivious to how you sound and look to everyone. I don't mean to insult, just to put a mirror. And to remind you this is your choice.
Wat? If the "ordering hotline" in this instance didn't know what to do, surely they should tell their manager? That's how it works in most businesses. Why is it suddenly different for hackable pizza stores?
At most they would refer you elsewhere, but most probably they would kindly ask you contact someone else so they can serve people looking to order pizzas. They get prank calls and all sorts of nonsense. They get customers asking all kinds of weird questions constantly, and they can't distinguish them from Mr important security researcher here that's not even a customer. They will just get confused, return an automated reply and move on to next request because they are paying them to handle bulk requests. They are not meant to escalate to manager, it's literally their job not to do it. And their manager is just another customer support person.
It's interesting that after all my points, you decide to nitpick that one sentence where I didn't assume you weren't a customer, I stated the fact that you didn't contact them as a customer.
It's interesting because it's similar to how you decided to base your entire judgement of this company on encounter with customer support.
You can't just throw everything into bad or good bucket because of how it triggers you emotionally. I bet I quite annoyed you. Doesn't mean the best thing to do is just find that one sentence where I'm slightly wrong and judge me on that.
Try to emotionally detach. When a bug is pissing you off, do you throw the whole program with it? Or do you understand what's going on and what is there to learn, despite the annoying bug?
Do I have something to learn from this incredibly annoying person that embarrassed me on HN?
Or should I just find something to nitpick?
I'm not your enemy. Customer support isn't your enemy. And the security researcher coming to your company with some anoying bug bounty isn't an enemy either. There's that saying, Homo homini lupus. Don't be like that.
Sorry dude but your argument here is extremely weak. You need to establish why the customer support couldn't refer the call. "Crank calls are a thing" really doesn't cut it.
Additionally, maybe there is no culture of escalating? Maybe customer support needs to “keep all tickets away from engineering?” If customer support cannot escalate this thread, what hope is this for team A to escalate a vulternability to team B?
With very little data, this all seems like cultural red flags.