Menu
Let's say you recently discovered some major vulnerabilities in a couple of websites that activate mainly in your country and are very powerful in their market. The vulnerabilities I'm talking about are as worse as letting me browse the admin interface with super admin privileges.
What would you do now? I'm thinking of something like:
What do you guys think? Do you have some materials to read about this or experience to share?
249
Talk. To. A. Lawyer.
This could get sticky depending on the company. By saying "you have xx days to fix this before I announce the exploit", you are basically saying "do what I expect, or I will cause you lots of grief".
The other issue is, how did you discover this? Were you using the site 'normally', or did you see the potential for the hole and decide to see if it worked? This is very important to keep in mind, especially if you are considering setting a time limit to fix the issue. I'm not sure what the laws say where you live, so please, talk to someone who does.
You might end up with their thanks, some cash for entering into a NDA (you did, after all, browse the admin interface) and you might get some credit in the security industry. But, be very, very careful and do try and seek the advice of an attorney.
88
I think you are on the right track.
The general trend in such cases is to file a bug-report with the said company and give them some time depending on the severity of the issue and time estimate required for a fix. After that, there is usually a full disclosure if the company doesn't ask you otherwise (for a premium?).
However, if the company doesn't get back to you in time/does not acknowledge you have the right (I believe) to publish your results for greater good.
Whatever you choose to do, maintain a proper record of your communications with the company. This may help avoid unforeseen circumstances.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
