Hacking/cracking deontology

Question

Let's say you recently discovered some major vulnerabilities in a couple of web sites that activate mainly in your country and are very powerful in their market. The vulnerabilities I'm talking about are as worse as letting me browse the admin interface with superadmin privileges.

What would you do now? I'm thinking of something like:

1. Report the problems to the company
2. Publicly announce that there are security holes in those applications, but without disclosing the actual exploit
3. Give the company time to fix its problems. (How much?)
4. After the problem has been fixed, or the grace period for fixing has passed (whichever comes first), fully disclose the vulnerability

What do you guys think? Do you have some materials to read about this or experience to share?

Answer 1

I think you are on the right track.

The general trend in such cases is to file a bug-report with the said company and give them some time depending on the severity of the issue and time estimate required for a fix. After that, there is usually a full disclosure if the company doesn't ask you otherwise (for a premium?).

However, if the company doesn't get back to you in time/does not acknowledge you have the right (I believe) to publish your results for greater good.

Whatever you choose to do, maintain a proper record of your communications with the company. This may help avoid unforeseen circumstances.

Answer 2

I'd first report the security holes to the company. If they don't take care of them - I'd announce it to the public.

Answer 3

If I was in your place, I would have definitely gone with reporting it to company. If the problem is as serious as you have mentioned, then report using the fastest means of communication available.

In case you are aware of some solution do let them know that as well.

You can write a generalized blog or an article about the problem and the solution. This will help others to check there own system. Do not disclose anything about the company or the website as you may end up in problems then.

Answer 4

I personally would report it to the company giving them some reasonable time period to correct it. But also offer them the option of requesting a deadline extension if they feel it will take longer. After that deadline, disclose the vulnerability.

I might consider reporting it to a governmental security organization. My main concern would be whether I need to report anonymously, given that you might be breaking some law by disclosing a vulnerability publicly. It depends on your country.

Answer 5

Talk. To. A. Lawyer.

This could get sticky depending on the company. By saying "you have xx days to fix this before I announce the exploit", you are basically saying "do what I expect, or I will cause you lots of grief".

The other issue is, how did you discover this? Were you using the site 'normally', or did you see the potential for the hole and decide to see if it worked? This is very important to keep in mind, especially if you are considering setting a time limit to fix the issue. I'm not sure what the laws say where you live, so please, talk to someone who does.

You might end up with their thanks, some cash for entering into a NDA (you did, after all, browse the admin interface) and you might get some credit in the security industry. But, be very, very careful and do try and seek the advice of an attorney.

Answer 6

If your country has a government regulating body such as the Federal Trade Commission, report it to them, and then forget that it existed.

If you report directly to the company, you first have to find the person to report to. Then you have to deal with the question of "how do you know this" (+1 on Talk to a Lawyer). And then, if you you threaten to go public, you might find the local police knocking on your door with a warrant, followed by arrest for extortion (+2 on Talk to a Lawyer).

Answer 7

Simply put:

Ignore it.

Your actions (however you've found it) almost always illegal. Therefore that company can take you the court and make your life miserable. Similar stuff happened before. Most of the time a lawyer can't help you.

Some people who are not working in security industry might not agree with me (aka downvote) but been there, done that.

Finally one way to this properly, if you got a friend over there or a personal contact just have an informal chat with him/her (something you can deny later, and can't be evidence) then he/she can talk check this out and report like an internal finding.

For reporting stuff in open source / commercial applications you might find this interesting and helpful: http://www.wiretrip.net/rfp/policy.html -responsible disclosure- But this whole another story than finding a vulnerability in a company's live website / infrastructure.

If it's a commercial product and if you've reverse engineered it, it's still illegal in many countries. So even in a product you've to be careful about it. Recently companies like Google / MS started to make public announcement about how to report security issues in their products.

Answer 8

A lot depends on the person who is responsible for said vulnerabilities. To cover his own backside he might go after you in court. Besides, if one had the access to the admin panel, one could also have accessed some private information and trade secrets. There are just too many variables to be sure. As other people have already said, consult your lawyer. In some countries there are also lawyers who specialise in computer-crime and related issues, those would be the best.

A year ago I was responsible for a couple of linux servers, which were constantly battered by SSH bruteforce attacks. I used to send emails to most admins of any IP that had a name like mail.some_company.com since that mostly meant a compromised system. Once checking the logs I've found an IP from a company in my local country. With little thought I phoned them to report the problem. Their admin's response was along the lines of "What?! Who are you? What are you doing to our servers?!".

Answer 9

You could consider reporting the vulnerability to an organisation such as Secunia, and asking them to manage the disclosure. They've done this kind of thing before...

http://secunia.com/advisories/report_vulnerability/