Reporting Vulnerabilities

As a personal preference, if you find a bug in something I have built - I would like to know. I will then evaluate and fix and make any necessary changes. I feel that it should be done privately, with an email to the administrator or the like.

I do, however, understand the concerns expressed in the article. Its about watching your own back - for the administrators that would like to bring you down or make you suspect to something else that happened on the system. It depends on the type of administrator. An arrogant one would definitely try and defend their system and blame the intruder.

The problem is when the finger gets pointed to the one that pointed out the problem. In fact, it could get worse if there were other problems on the system and they blamed the person who pointed out the problem.

So - If it is a friend's site, I would tell them. If it was someone else I do not know - I may be silent to protect myself.

Interesting post.....

Tue, 23 May 2006 at 14:56:33 GMT Link

To report a bug or exploit, it is firstly important to do it as anonymously as possible. Use an anonymous mailer or something like that.

Secondly, there is no need to bug someone like Amazon repeatedly to fix a simple bug in their system. It's their site and you can't force them to fix it.

With the comment above, particularly with point 3, you are risking personal litigation if you follow that route for something you describe as 'harmless'. I'm not sure what your personal motivation is, maybe to tell your friends "I fixed a bug on Amazon.com!", but personally I think you have done more than enough and should just let it go.

Tue, 23 May 2006 at 16:42:30 GMT Link

5. Stop using the vulnerable system

Tue, 23 May 2006 at 18:00:46 GMT Link

I think when it comes to bug reporting, be it security or otherwise, you (as a developer) need to be careful not to put too many bariers to entry. Most people already fail to report bugs, by making it tough on the small percentage that does, especially tricky ones involving security, you risk alienating the few who do.

In my personal opion it is often better to have a red faced developer (or Company) rather then an unplugged security hole that is being actively abused by so called "blackhats". In my experience people often find every execuse to NOT fix security holes, until they get burnt badly, once or twice. After that they get on with the program so to speak, and if this process takes an occasional full disclosure, so be it.

In many cases people publish unfixed exploits because the vendor refuses to fix it or deploy a solution in a timely manner. So, the person who discovered the exploit publish in an attempt to accelerate fix deployment and warn users of the possible issue so that they can put intermediate workarounds.

Wed, 24 May 2006 at 02:53:18 GMT Link

I found a bunch of exploits on local university and business websites.

I phoned them up and let them know. A lot of the time you can find the person in charge of the website(s) by searching the website or asking the receptionist.

Once a guy asked me for my name and I just gave him a fake one... He appreciated me calling him but I wasn't going to take the risk.

Wed, 24 May 2006 at 16:58:12 GMT Link

My experience at telling anyone to correct anything is at best problematic and seldom received as intended.

My advice is to realize that money drives the incentive to change, unless they are hit in the pocketbook, they won't listen.

So, either leave them alone, get on with your life, and allow them to experience the problem financially by some hacker OR make a name for yourself. Choose your actions wisely.

tedd

Thu, 03 Aug 2006 at 14:29:44 GMT Link