On the 28th September 2011, we notified a vendor about multiple security vulnerabilities in one of their products, and requested contact details of who to send the details on to.
The initial response from the vendor support team took 6 days.
The complete details of the vulnerabilities were disclosed to the vendor on the 5th October. These included screen shots, HTTP requests and responses, and Proof of Concept code for the vulnerabilities. After that no response was received.
We then sent another e-mail to the vendor on the 11th October, asking for an update on these issues, or if they had even received our original e-mail with the details of the vulnerabilities.
We received no response from the vendor.
On the 8th November, we finally received a response stating “These have been replicated by R&D and they will fix in a later release.” No “Thanks for your help guys”, no dates that these will be patched, no responses to our other queries.
We followed this e-mail up with a response to the vendor, asking to work together on a timed release, and to agree on some reasonable dates. The vendor response was “I have asked for timescales for the fixes and will update you when these are released.”
Now just to be clear, we are not getting paid to disclose these vulnerabilities to any vendors. We are doing this to help make the Internet and networks in general a safer place for all.
We don’t ask for much, just credit for the disclosure of the vulnerability, and a timely patch to mitigate the vulnerabilities. It really doesn’t need to be this difficult to report vulnerabilities, and a little bit of thanks and courtesy never hurt anyone.
To all software and hardware vendors out there, can you please take a few moments to read the Wikipedia article on Responsible Disclosure, which can be found here. Then please try to work with your relevant teams, to make it easier to report vulnerabilities in your code, and work with you.
We understand that not all vendors can afford to hire fully fledged security teams, and most security professionals are willing to help you secure your applications and devices just for the credit of finding the vulnerability in your product. That’s got to be the cheapest application security assessment that you’ve ever had!
Little things, like an e-mail address, or a form on your website to contact your product security team, or even your developers would make the world of difference. This would also help to make sure that we as security researchers, contact the relevant teams within your organisation right off the bat (and don’t get sent around the houses, trying to do you a favour). This way, we can always deal with the same person (or team) within your organisation, and get any vulnerabilities mitigated in a timely manner.
Please guys and girls, help us to help you. We’re giving you free security advice, educating your developers and strengthening your products, all this for a one liner in your security patch disclosure notification.
Think about it…