12

Context: recently I found a vulnerability in a webapp for a big company. They have a full policy on responsible disclosure which I followed to avoid legal issues.
The company commits itself to answering within a time period (in this case two weeks). However that period has ended and I haven't received any response, not even an acknowledgement that they know the problem exists.

How should I handle this?

There are other questions like this one, but often about disclosure to a company without a policy.

Str-Gen
  • 121
  • 5
  • Where did you send the mail to, their supportdesk or a dedicated security mailbox? One mail could've slipped through their ticketing system. Have you CC'd it to mutiple appropriate recipients? Also, have you tried calling them to alert them of the gravity of the situation? – J.A.K. Feb 20 '17 at 12:42
  • 1
    I sent it to their dedicated security mailbox. On their page regarding responsible disclosure they show a specific address to send your info to. Calling them would be no use as I'd be calling their general sales support. I don't have any contacts inside the company so I couldn't cc relevant people. – Str-Gen Feb 20 '17 at 13:11
  • 1
    Thank you for the extra info, that is indeed a tough one. If you got no acknowledgement of them receiving it, it's either a lazy security guy or a technical issue. Speaking to someone will solve both. I think calling general sales, and having them transfer you to a technical person will be your best bet. Just ask; "who should i speak to if i want to disclose a sensitive security issue?" – J.A.K. Feb 20 '17 at 13:18
  • Thank you for the advice, I'll call them and see how it goes. – Str-Gen Feb 20 '17 at 13:37
  • 2
    if they don't abide by the policy, neither should you; force their hand, please. – dandavis Feb 20 '17 at 13:39
  • You could message them publicly on their social media profile/s without specific details - it should get their attention rather quickly and they will most likely contact you. – FatSecurity Feb 20 '17 at 13:54
  • 1
    I would be rather cautious about publicly messaging them. Depending the situation they might be able to legally do something. – RoraΖ Feb 20 '17 at 15:29
  • 5
    Yeah those last comments calling for you to 'please' impact them don't sound like they've been through a lot of disclosures. As someone with a few CVE's I've seen a few careless friends get in trouble.Like I said, them not getting your message could be a technical issue. Companies without policies have sued people for a ../ or an apostrophe, and in the US the sentences are worse then those for terrorism. – J.A.K. Feb 20 '17 at 18:35
  • I was about to ask the same question. Did they eventually get back to you? – StackOverthrow Feb 19 '20 at 00:39

3 Answers3

3

Many companies do not acknowledge or discuss a security issue (even with the researcher) until a patch has been released and the majority of users have updated (Apple is a good example of this). Some companies may send you an email saying thanks for your report but not further acknowledging it until the patch is released. Public disclosure is rarely a good idea due to the risk of getting legal action taken against you. If I were you I'd keep waiting and if more than a few weeks pass without a patch that fixes the issue, contact them again and again. At some point, it'll hopefully get patched. Good luck with getting this vulnerability fixed and thanks for disclosing responsibly.

  • 2
    https://www.schneier.com/blog/archives/2007/01/debating_full_d.html

    Looks like we should switch back to full disclosure as the norm...

     – vidarlo Sep 17 '17 at 18:43
2

If you haven't gotten an answer despite their policy of acknowledging, it may be that a spamfilter ate your message. Looking for an alternate way to draw their attention to the message may be helpful.

Calling a general phone line is unlikely to not get you anywhere. Does the company have a security presence on twitter (eg @msftsecurity) , or employees with relatively public profiles on Linkedin who you can reach?

Also, there was at least one case where someone mis-addressed an email to secyre@microsoft (or somesuch typo). Are you sure you sent to the right address?

Adam Shostack
  • 2,669
  • 1
  • 11
  • 12
1

Fully document and paper trail all communications. Try on at least 3 different mediums to get in contact: Email, social media, phone call, letting them know you want to disclose a security issue but not giving them all the detail at that stage.

Have names and details of anyone you do get manage to get a hold of in your report.

If they still do not reply to you or give you the resolve you require you have all the supplementary evidence of you following best practice and trying to resolve this responsibly.

TrickyDupes
  • 2,849
  • 1
  • 15
  • 27