IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [disclosure]

releasing information about security issues to the general public or a selected group.

155 questions
79
votes
10 answers

How to report vulnerabilities without being regarded as a hacker?

I just discovered that my university alumni's login page is just plain HTTP. Wireshark confirmed that the credentials are sent using an HTTP POST message. I did a bit of research and, as I thought, HTTPS should always be used on the login page…
user29170
40
votes
6 answers

Software vendor refuses to fix security vulnerability - what to do?

I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They referred the case to their account manager (!), who (in…
TravelingFox
  • 433
  • 3
  • 7
20
votes
4 answers

My old job has massive security exploits in their product, but they dont care

A company I used to work for developed a Point Of Sale system that also has an eCommerce portion. While working there, I discovered massive flaws with their security model. Simply put, there is 0 server side validation. Any user, logged in or not,…
ItsNotMe
  • 311
  • 2
  • 6
12
votes
3 answers

Responsible disclosure: company is dedicated to security but doesn't answer

Context: recently I found a vulnerability in a webapp for a big company. They have a full policy on responsible disclosure which I followed to avoid legal issues. The company commits itself to answering within a time period (in this case two weeks).…
Str-Gen
  • 121
  • 5
4
votes
1 answer

Challenges of setting up responsible disclosure for my course

Does anyone have experience in setting up a responsible disclosure procedure for a company? I'm interested in taking up a university assignment involving this. I have read up on my governments guidelines to responsibilities of both the discloser…
yesman
  • 302
  • 2
  • 8
4
votes
1 answer

Getting an employer to secure their website immediately

I'm employed as a consultant at a big tech consultancy. I recently noticed a major flaw in their website, they send my login credentials in plain text over HTTP. I verified this by doing a outbound packet capture and lo and behold there were my…
Emily L.
  • 143
  • 4
4
votes
1 answer

What are the pros and cons of disclosing a vulnerability before it is patched?

I had heard a lot about Google's project zero and it's 90 day deadline for vulnerability disclosure. It has taken some flak from Microsoft for disclosing the bugs before they were patched. I understand the argument that users should be aware of…
Limit
  • 3,276
  • 1
  • 17
  • 36
4
votes
1 answer

How to deal with found security issues on third party websites?

Some time ago I discovered a security flaw regarding the password policy of my cellphone provider which basically makes the website, which includes access to personal information and invoices, vulnerable to brute-forcing (in a significantly short…
23785623985
  • 75
  • 4
3
votes
2 answers

Found a bug in a software product used by the pentesting customer; Who to report it to?

Let's say I'm doing a pentest on BlueCorp and find a bug in the software UnrealSec made and distributed by SecCorp which is used by BlueCorp and found during said pentest. Should I report this bug to both BlueCorp and SecCorp or only one?
ChocolateOverflow
  • 3,482
  • 4
  • 18
  • 35
3
votes
2 answers

Reporting vulnerability to New York Times

I have successfully discovered a vulnerability in the New York Times website. Is there any known way I can report this? I have not attacked it. But I found a bypass. What should I do?
user182148
2
votes
1 answer

How to properly disclose a security vulnerability anonymously?

Let's say I found a login-bypass/root-backdoor in a software my company uses that gives you root privileges within that software by simply entering a keyboard combination. I've reported this within my company and to the company that provides the…
architekt
  • 996
  • 1
  • 7
  • 18
1
vote
0 answers

Should I report a severe data leak on a site?

I noticed a severe data leak on a Chinese website allowing me to access other users' phone numbers, addresses and names. Should I report this? I don't want the higher management at the company to assume I was purposefully hacking their site & take…
James Nixon
  • 165
  • 5
1
vote
1 answer

Id token contains sensitive information sent by the GET method

I've found that my website is using id_token and it contains user's information. One of that is my phone number which I think it could be a sensitive information. Because, if the attackers are able to capture the request, they get my id_token and…
Ender
  • 111
  • 2
1
vote
2 answers

Risk of Production Data in Test / QA Environments

Looking for risks associated with seeding QA or Testing environments with data from production. Other than a compromise of the test environment leading to information disclosure (made worse if that data is PHI), can anyone shed light on additional…
HashHazard
  • 5,195
  • 1
  • 20
  • 29
0
votes
1 answer

Course of actions after finding security flaw

I've found what I believe is a significant security flaw on quite a big platform. It can be exploited to obtain on the orders of millions of email addresses with some additional data. They're big enough in that they have set up a customer support…
reveance
  • 3
  • 1
1
2