disclosure – Page 2 – WindowsTechs.com

Responsible Disclosure for Cryptocurrency Security

Posted on September 9, 2022 by Bruce Schneier

Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.

Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don’t have an ongoing relationship with the hardware and software providers that protect their funds—nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users won’t be rushing to pay for and install new security patches…

Continue reading Responsible Disclosure for Cryptocurrency Security→

Software vendor refuses to fix security vulnerability – what to do?

Posted on September 6, 2022 by TravelingFox

I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They referred the case to their account manager (!)… Continue reading Software vendor refuses to fix security vulnerability – what to do?→

A company is still leaking highly sensitive data well over 90 days after I have reported the issue, where to go from here?

Posted on July 28, 2022 by Jespertheend

Back in February, well over 90 days ago, I reported a vulnerability to a service that is leaking highly sensitive data, such as passport id, full name, date of birth and medical data. After that I have sent a few more reminders about the l… Continue reading A company is still leaking highly sensitive data well over 90 days after I have reported the issue, where to go from here?→

Wyze Camera Vulnerability

Posted on April 4, 2022 by Bruce Schneier

Wyze ignored a vulnerability in its home security cameras for three years. Bitdefender, who discovered the vulnerability, let the company get away with it.

In case you’re wondering, no, that is not normal in the security community. While experts tell me that the concept of a “responsible disclosure timeline” is a little outdated and heavily depends on the situation, we’re generally measuring in days, not years. “The majority of researchers have policies where if they make a good faith effort to reach a vendor and don’t get a response, that they publicly disclose in 30 days,” Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, tells me…

Continue reading Wyze Camera Vulnerability→

Acceptably resolving a serious vulnerability disclosure

Posted on March 30, 2022 by Bob

Hypothetical scenario:

An organisation with users who rely on the service’s zero knowledge cryptography has a vulnerability disclosure made to it from a research institution.

There are multiple vulnerabilities in the disclosure with medi… Continue reading Acceptably resolving a serious vulnerability disclosure→

Information Disclosure issue in WildFly and Apache Web Server

Posted on March 17, 2022 by jayesh raikar

We are working in an environment where UI Requests flow to a WildFly Server (where the WAR is deployed) version 10.1.0 via an Apache Web Server version 2.4
We were running Security tests and when using a VirtualDirContext, it was possible … Continue reading Information Disclosure issue in WildFly and Apache Web Server→

How dangerous is a leaked private key from outside the infrastructure in context of: "Azure Active Directory keyCredential property Disclosure?"

Posted on November 22, 2021 by marsh-wiggle

Microsoft published the Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs which describes how to check if an Azure AD is possibly affected by the private key di… Continue reading How dangerous is a leaked private key from outside the infrastructure in context of: "Azure Active Directory keyCredential property Disclosure?"→

Security researcher asked for responsible disclosure but not want to disclosure anymore? [closed]

Posted on October 28, 2021 by Cloud Learner

Suppose
I reported a critical vulnerability at their responsible disclosure email, and I share the impact of the vulnerability but not the actual information in the first email.
They replied back stating, ‘what is the vulnerability informa… Continue reading Security researcher asked for responsible disclosure but not want to disclosure anymore? [closed]→

Who do I tell if a website is unsecure? [closed]

Posted on October 27, 2021 by Jaton Justice

I was looking at an article here: https://arstechnica.com/tech-policy/2021/10/missouri-gov-calls-journalist-who-found-security-flaw-a-hacker-threatens-to-sue/
and then I wondered to myself – what other state websites have vulnerabilities? … Continue reading Who do I tell if a website is unsecure? [closed]→

Missouri Governor Doesn’t Understand Responsible Disclosure

Posted on October 18, 2021 by Bruce Schneier

The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.

The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.

[…]

According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages…

Continue reading Missouri Governor Doesn’t Understand Responsible Disclosure→