Yesterday I was exchanging some messages on Twitter – specially with Kymberlee Price (from BugCrowd) – about the relationship between vendors and security researchers when disclosing a security issue.

In my experience I know what’s the feeling of trying to help a vendor and they ignore you or in some extreme cases even “inviting” you to stop what you are doing on their website. Vendors need to understand that most security researchers are here to help – working in the same side against bad guys. The problem in this connection is trust.

Vendors don’t trust researchers.
Researchers are loosing trust on vendors.
We need to fix it.

I had a bad experience with lots of big IT companies. Specially the ones I usually use on their products. I don’t go around companies and test vulnerabilities like crazy. I just like to feel more secure when using some web application.

In my opinion these are the main issues:

  • Lack of information on where to report a security issue
  • Security report gets lost in their support system
  • The vendor don’t reply back or just say it will be forward to the developing team
  • Vendor don’t update the security status
  • Researcher could even get threatened about the report

But not all vendors are like that. I already tried different approaches who seemed to work.

  1. Email the vendor giving them a small presentation telling who you are and ask for the right person to deal with a security threat
  2. After you got the email, try to schedule a online chat or even Skype meeting to establish some kind of trust between both parts.
  3. Talk about that you found, the consequences and a possible solution.

If you manage to do all this I bet the treatment in the future will be better for you and for future researchers who try to contact them.
You as a researcher have the responsibility to prepare the path and improve the communication between vendors.
Don’t give them hell! Give them trust!

Even on bug bounty programs you have issues. Vendors who reply to your report in 1 year without even worrying about getting the researcher a feedback like:

We’re working on it. It will take some time, maybe weeks or months…

Even yesterday – Sean Mealia wrote on his Twitter that Uber changed their in-scope program after he sent a couple of security issues.
It also happened to me in a private program for a popular online newspaper. I reported a security issue where a attacker could steal users information and they categorized as “Informative” and fixed it in a couple of days.
This type of situations are not good for the business. Vendors must respect the researchers and visa-versa.

Well this are my thoughts about this, feel free to share yours in the comments section.

For those who are interested about this topic I recommend watching the video of Kymberlee Price at Kaspersky Security Analyst Summit 2016.

Leave a Reply