9

While writing software for an application platform developed by a third party company, I came across a security vulnerability in the framework's code that could allow unprivileged code to perform unauthorized privilege escalation through a vulnerability in a sandboxing solution.

I have notified the company of the security problem and have even developed a patch for the problem within less than a week and the company still has not released an update to the product to fix this vulnerability.

This company has currently sold over 40 million copies of this product, and after several weeks, has still not fixed this vulnerability. What should I do to make people aware of this vulnerability and what they can do to protect themselves, without giving the "bad guys" tools that could be used to attack the platform? Is there anything I could do to convince the company to release a security update faster?

What are the best practices in the security industry for this kind of situation (note: I'm a software developer, not an IT security expert)?

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
bbosak
  • 191
  • 1

4 Answers4

8

Honestly some people need a wake up call before they take responsibility for their mistakes.

Give the company a set time, like one month from today to release a patch. If they do not comply post information about the vulnerability on the Full Disclosure Mailinglist. By not making this information public then you are risking that organized crime will discover this flaw and exploit it for profit.

(I hate to say it, but you have already given an attacker enough information to find this vulnerability. There aren't many platforms with 40 million sales... The clock is ticking.)

rook
  • 47,238
  • 10
  • 96
  • 182
  • 4
    +1 on this. Be civil, be careful, explain the issue fully, give them time, but be firm. If they take a while, give them an exact date on which you will disclose. Also offer to extend the deadline if and only if they can convince you that they're incapable of fixing it by then, but don't let them string you along. – Polynomial Dec 05 '12 at 09:05
  • 1
    +1 to this post and +1 to Polynomial's comment. This is exactly what I would have said. – JZeolla Dec 05 '12 at 18:06
4

You can make a timeline
First of all, they may be working on testing and rolling-out a fix. Before you go public, you may want to let them know your timeline and see if they respond. They may be more willing to communicate if they have an incentive to do so.

You can be vague
Your typical "black-hat" is not as bright as he wants to appear. As a rule, the bulk of the anti-sec world relies on ready-made proof-of-concept code to build their exploits. If he's smart enough to write an exploit from scratch, then he probably will sell to the code to a criminal organization rather than posting it on a exploit-db. That's bad in that the really bad guys have the code, but good in that your average script-kiddie does not.

As such, sometimes security researchers will release vulnerability details in vague enough terms to make it difficult for an unskilled programmer to build an exploit but easy for a skilled programmer to spot the flaw. Typically this buys you a few weeks; someone's going to write POC code eventually.

You can just go for it
There's the fairly common view that if you can get it into white-hat security tools as quickly as possible (e.g. build a nessus plugin, etc.), then you're offering the best protection overall. The black-hat code is inevitable once the exploit is commonly understood. But at least you can give the defenders a head-start.

tylerl
  • 83,435
  • 26
  • 152
  • 232
4

In addition to the excellent guidance from Rook and tylerl - are you certain you have the correct contact at the company?

Large corporates can be useless at passing information internally, or even being aware of who to pass it to, so make sure you are sending the information to the correct team.

Consider sending it to a wider audience at that company - do your research; google for the right contacts. This could include the CIO or CISO, or even marketing directors etc.

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
2

I'm starting to get very worried about disclosure (where I live) because there are more and more legal action cases being taken by publicly spirited skilled security researchers like us.

The options are:

  1. Anonymously disclose to one of the public disclosure websites
  2. If you have a contact at the organisation that you know and trust (e.g. an account manager), then explain to them the issue and ask them to take ownership of the issue. Ensure that you don't have anti-hacking/deconstruction clauses in your licence/contract (a lot of ours do)
  3. Use a third party paid disclosure site like Exodus Intel, Netraguard etc.
  4. Like @Rory above, use it as a bargaining point when negotiating the annual service/maintenance fee for your organisation. The fee is usually between 18% and 25% of the original price and the company should be working to earn it.

I've stopped publicly disclosing; in part because the law in Scotland (where I live) makes it a criminal offence,

Callum Wilson
  • 2,543
  • 12
  • 16