I stumbled across an account on Twitter this weekend, which was sharing a misconfiguration they had found in a mobile application. The misconfiguration resulted in the private data of hundreds of thousands of vulnerable individuals being made publicly available for anyone to access.
We like to proclaim that security by obscurity is not acceptable, but when it comes to responsible disclosure I believe it’s of the utmost importance. What keeps the user's data safe in this situation is the integrity of the security researcher who found the misconfiguration, and what they choose to do with that information.
In this case they sent a couple of emails to the company in question, and after not receiving a response within 2 weeks, they posted it on Twitter for the world to see. The individual defended their position and the actions they took, but in my opinion this is unethical and unacceptable. There wasn’t any thought for the safety of the users, they were unfortunate pawns in a quest for online clout.
There are plenty of guides and official standards available online, and I’ll link to some below, which show detailed processes for declaring vulnerabilities, but I’ll share some thoughts of my own on how I believe these situations could be handled better. I’m not a security researcher, I haven’t gone through this process, these are just my opinions and I’m always happy to be educated further or proven wrong.
When a vulnerability in a system is discovered, the first place I would look is for a security.txt file on the company website. This is a reasonably well adopted and recommended standard, and it provides contact details for the people responsible for dealing with vulnerabilities within that company or organisation. In the case mentioned earlier, this file does not exist, but it’s only the first step of many I would take.
The next place I’m looking is for security personnel, software engineers, and senior staff members of the company in question on LinkedIn. For all it’s AI slop, LinkedIn is a fantastic platform for reaching out to people who work at specific companies. You can find members of the C-suite on there too, but I would start with more technical people first.
Sending emails is worthwhile, but it’s a less reliable option. Emails can end up in junk or spam folders, filtered out or quarantined by firewalls, or some people just have busy inboxes and it may slip through the net, especially if it’s from someone the recipient doesn’t know. Definitely give it a go, but don’t expect a response.
Send a generic message on social media; a lot of companies invest in support teams through platforms like Twitter. Don’t disclose any details, but use it as a tool to reach the right people with whom you can responsibly disclose your findings.
Reach out to other security professionals who have more experience with responsible vulnerability disclosure. The security community is full of brilliant people who may be able to put you in contact with someone through their network, or at least provide guidance on what you can do to reach the right people.
You can check with bug bounty platforms like HackerOne, for companies that have an active bug bounty programme where they will share relevant contact details.
If you’re hitting brick walls in your search for a contact, or you simply don’t have the time or patience to see it through, there are CERTs in almost every country who can help take on the responsibility.
There are suggested timeframes, such as 90 days, before some believe it’s acceptable to disclose publicly. Even after exhausting all options of contacting the company in question, I would much rather fallback on security by obscurity, especially in cases where the data being shared is in relation to vulnerable people.
We talk about white hat, grey hat, black hat, in security, but really it’s a spectrum, and my morals are on the opposite end of the spectrum to people who think it’s acceptable to expose vulnerabilities on Twitter for likes, while putting hundreds of thousands of people at risk.
I’m hopeful this trend isn’t one that grows, and we can promote good ethics when dealing with vulnerabilities. With a lower barrier to entry which comes with AI tools, and the intoxicating allure of social media likes, let’s promote good behaviours and challenge poor representatives of the security community.
