Collaborate Disseminate
I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They referred the case to their account manager (!)… Continue reading Software vendor refuses to fix security vulnerability – what to do?
Back in February, well over 90 days ago, I reported a vulnerability to a service that is leaking highly sensitive data, such as passport id, full name, date of birth and medical data. After that I have sent a few more reminders about the l… Continue reading A company is still leaking highly sensitive data well over 90 days after I have reported the issue, where to go from here?
Wyze ignored a vulnerability in its home security cameras for three years. Bitdefender, who discovered the vulnerability, let the company get away with it.
In case you’re wondering, no, that is not normal in the security community. While experts tell me that the concept of a “responsible disclosure timeline” is a little outdated and heavily depends on the situation, we’re generally measuring in days, not years. “The majority of researchers have policies where if they make a good faith effort to reach a vendor and don’t get a response, that they publicly disclose in 30 days,” Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, tells me…
Hypothetical scenario:
An organisation with users who rely on the service’s zero knowledge cryptography has a vulnerability disclosure made to it from a research institution.
There are multiple vulnerabilities in the disclosure with medi… Continue reading Acceptably resolving a serious vulnerability disclosure
We are working in an environment where UI Requests flow to a WildFly Server (where the WAR is deployed) version 10.1.0 via an Apache Web Server version 2.4
We were running Security tests and when using a VirtualDirContext, it was possible … Continue reading Information Disclosure issue in WildFly and Apache Web Server
Microsoft published the Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs which describes how to check if an Azure AD is possibly affected by the private key di… Continue reading How dangerous is a leaked private key from outside the infrastructure in context of: "Azure Active Directory keyCredential property Disclosure?"
Suppose
I reported a critical vulnerability at their responsible disclosure email, and I share the impact of the vulnerability but not the actual information in the first email.
They replied back stating, ‘what is the vulnerability informa… Continue reading Security researcher asked for responsible disclosure but not want to disclosure anymore? [closed]
I was looking at an article here: https://arstechnica.com/tech-policy/2021/10/missouri-gov-calls-journalist-who-found-security-flaw-a-hacker-threatens-to-sue/
and then I wondered to myself – what other state websites have vulnerabilities? … Continue reading Who do I tell if a website is unsecure? [closed]
The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.
The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.
[…]
According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages…
Continue reading Missouri Governor Doesn’t Understand Responsible Disclosure
Ut tensio, sic uis! Does twice the bug pile on twice the pressure to fix it? Continue reading Microsoft researcher found Apple 0-day in March, didn’t report it