3

Let's say I'm doing a pentest on BlueCorp and find a bug in the software UnrealSec made and distributed by SecCorp which is used by BlueCorp and found during said pentest. Should I report this bug to both BlueCorp and SecCorp or only one?

ChocolateOverflow
  • 3,482
  • 4
  • 18
  • 35
  • 1
    What paperwork do you have in place with your customer? Usually this is something that is clarified in the contracts and waivers you have your customers sign. – plonk Nov 26 '20 at 07:26

2 Answers2

1

For an ethical disclosure, I would create two different reports:

  • Report it as a general finding to BlueCorp, which would help them to decide whether to stop or interrupt using the product or mitigate the threat otherwise, depending on how severe it is.

  • Send a more detailed report on the bug, possibly with a proof of concept (POC), to the developers of the software i.e. to SecCorp.

This prevents BlueCorp from using or selling this information before the SecCorp has had time to fix it. After all, it is unlikely BlueCorp would need more detailed information, as they would not fix it by themselves anyway.

Unfortunately, you are only contracted and paid for the first report, but that is a responsible thing to do. Who knows, you might even get another gig from it.

Esa Jokinen
  • 18,957
  • 6
  • 58
  • 61
0

In my opinion, you should report to both.

You did the pentest for BlueCorp and it is a security risk in their IT landscape. They use insecure software, which could lead to a successful attack. Therefore it should be part of your report to BlueCorp. It is uncertain if they insist on fixing the bug or switch to another more secure solution.

The developers of the software should also be informed. The (security) bug has an impact on all the users of the software and should be fixed. It is not certain, that BlueCorp would tell them, so you should send a bug report.

auspicious99
  • 518
  • 4
  • 17
seism0saurus
  • 236
  • 1
  • 5
  • One concern with notifying your direct customer is that you may basically be handing them an 0day to a software that can be used against e.g. their competitors. Therfore it may make sense to negotiate embargoes on vulnerabilities with BlueCorp - e.g. they get notified there is a vulnerability in UnrealSec, but only get details once BlueCorp has patched and notified all other customers. – plonk Nov 26 '20 at 07:39