Slashdot Mirror
Informing a Company of a Security Discovery?
An anonymous reader asks: "I recently found a major security flaw through serendipitous independent research. I do not want to go into details, but it could be used against certain companies and have a large negative financial impact. However, I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem. Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"
Unless you're already in the business of helping firms secure their systems/networks/etc from attack, most firms will probably look upon your offer with a jaundiced eye. Now if you want to become a fly-by-night security expert, offer your services as a consultant to said firms, and then conveniently discover the security flaws AFTER they've hired you, they probably won't be too upset. But really, unless you have experience as a security expert already, how likely are they to hire you whether you know of a security flaw in their network/systems/etc or not?
Did I mention you are an idiot?
If you're concerned about legal issues, you could find some way to notify them anonymously and untraceably.
Can't sue what you can't name...
because in some countries, simply looking for exploits is illegal, so you may have opened yourself up for much larger issues that just finding a way to tell them about. You may just be looking at having to find a lawyer to get you out of what ever local, state, or federal or national law may have been broken by doing it.
So, basically, you're not going to want to send them a letter, crafted on construction paper, with random letters cut from miscellaneous periodical literature, formed in words and sentences stating your conditions for release of information!
In short, I have no good suggestion other than seeking legal counsel, IMMEDIATELY.
Tell them how you discovered the bug (are you a full-time security researcher, just a hobbyist, discovered it by accident?). Tell them the potential severity. Then, as a footnote, mention your skills in patching security holes (assuming you have any) and offer to help them fix this hole, and potential other ones. Don't mention money in your initial email.
If you tell them upfront that you want $$$ to fix the hole, it's going to sound an awful lot like extortion. What you might think of as a friendly e-mail offering help, they could see as "Pay me $$$ and this/further vulnerabilities won't get released to the blackhats". So just treat them nicely, and hope for the same in return.
If they do sit on their asses for more than two weeks or so, it's probably alright to release the vulnerability to the public -- possibly anonymously if you fear retribution. Use tor/remailer if you have to publicly disclose and don't want BigCorp harassing you forever. They may suspect it was you who disclosed the vulnerability, but all they would have is a hunch. Good luck.
http://cltracker.net -- powerful craigslist multi-city search
I don't see how you can expect to get paid for discovering a security flaw.
If you are willing to travel to the head offices of the company in question and explain, in person, what you have discovered, it is reasonable that the company would pay your travel expenses and a fee for your time.
So you discovered a security flaw...why does that entitle you to money? You don't own the software the flaw was found in. The only way you deserve money is if you are extorting it, which is illegal. I suggest you tell them the flaw for free and move on. You aren't going to get rich doing this and you'll feel better if you just give up the info for free. Besides, you are most likely wrong about the flaw anyway...most amateur researchers are.
Have you considered that maybe they don't have source code to the software in question and they're just going to have to go to the vendor to get a fix?
It will be hard to do that, mostly because that is the f'ing definition of extortion.
My advice. Make note of it, and move any money you need to out of their hands. Tell your friends and family. Nod sagely when the shit hits the fan.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
Find a way to send an email to an appropriate person. Start with the same first 3 sentences as in your post here. Then add that you'd expect them to take a few days to come to an internal agreement on what they'd be willing to spend to find out what you know. Let them make an offer, and unless it's ridiculously low, take it. It's found money to you. Right?
Be sure you make two things very, very, very clear to them: (1) If they choose not to buy your information, you will just drop the matter and they can go on being vulnerable; and (2) You will in no way exploit or pass on your knowledge in any way that could result in an exploit of the vulnerability.
If they don't want to pay, then you might see what established security firms would be willing to pay for the knowledge. If none of them seem interested, you should just drop it and go on with whatever you were researching in the first place. You can't save people from something they don't want to be saved from.
You weren't conducting your research for the purpose of making money off what you might have found, right? If it doesn't work out, just move on with your life and your work. Not everything has to end up with money changing hands.
Sig not available, please try again later. If the problem persists, then the submitter is an idiot.
Delete your logs. Delete your browser cache (I'm assuming you used your browser for at least part of your research). Delete /tmp. Switch your ISP.
Seriously, I wouldn't tell anyone in the company. The most I'd do is send an anonymous email to securityfocus.com, and let them do whatever they want.
Your chances of getting arrested are just too great to justify the risk.
Here's an idea: how about entering into an agreement to look for vulnerabilities before you go looking for them? Obviously not a lot of use to you now, so how about you just pretend you don't know about this flaw you claim to know about and go get that agreement. If you can't get the agreement without revealing that you already know about a flaw, then you have no chance of getting paid anyway, so either anonymously inform them of your results or shut up about it already.
How we know is more important than what we know.
Write up a bit of code to exploit the security vulnerability and publish it to the web. That's the most reasonable and expedient way to get the vulnerability fixed and your 15 minutes of fame.
Bonus points if you blog about the FBI searches of your office/residence/colon.
Ask Slashdot: I woke up with a dead hooker, how do I beat the rap?
You're looking for money in exchange for providing safety. Seems an awful lot like extortion, even if you call it something else or pretend that you "have no wish to use this for malicious purposes". You may as well just open your negotiations by threatening to start by breaking their thumbs if they don't pay up.
I would suggest offering them the information regardless of whether they want to pay you anything, and offering your services as a consultant if they want your help fixing the issue.
Snowden and Manning are heroes.
If you tell them, they'll thank you by either a: suing you, b: charging you with some form of criminal trespass on their networks or c: all of the above.
That's the usual reaction of large organizations to finders of embarrassing facts.
Lawyers are your friends in business deals.
If lawyers gave legal advice and assumed liability when the advice they gave was inappropriate or failed to protect the client then you would have a point. They would be supplying a useful service.
As things stand though, lawyers on both sides of an argument benefit from legal action but suffer no fallout from losses suffered through following their legal advice. That lack of necessary negative feedback is what makes them a pure shyster and snake oil profession, and never a friend under any circumstances.
Avoid like the plague. Lawyers have destroyed what used to be a great nation.
You want use to believe this? That's like saying you were walking along and just happened to notice your neighbor's door unlocked? Why would you be trying the door? Why would you be doing anything to find this security flaw? I don't think most people unmaliciously research things and happen to stumble on a security flaw? The tone of your post is you want to make money. You want ideas to extort without calling it extortion?
That which does not kill me only postpones the inevitable.
That's a very simplistic and childish view and it makes me wonder how much you've dealt with lawyers.
I deal with them almost every day and the woman I'm dating is a paralegal. I rarely meet a lawyer (actually never have) that lives down to the stereotypes.
I've found many lawyers very helpful with their advice and time, but that might also be because they're my clients and love the services I provide. The more I've worked with them, the more I can see why they work the way they do and I can also see how the uninformed, without experience or knowledge of how they work could misinterpret what they do if such a person were more interested in denigrating people instead of understanding them.
I think lawyers are great, but then again, that may just be because their fees pay my bills and more.
So you want to disclose a bug to a company without fear of reprisal? Good! Don't want to take on any liability for private disclosure of a newly discovered vulnerability and disclosure is the right course of action? Here's how:
step 1: get a bootable CD that supports wireless like AnonymOS or Knoppix or Auditor Linux
step 2: find a way to randomize your laptop's wifi MAC address
step 3: go to a random coffee shop or access point for which physical access is hard to track
step 4: generate a gpg key for future use
step 5: log on to the interweb and set yourself up with a gmail or hotmail or yahoo email address with a fictional name
step 6: email your gpg private and public key to yourself for future use
step 7: notify the company using the above fictional name
step 8: sign your disclosure email with gpg, and include the public key so you can prove later it was you
step 9: don't expect to be contacted, but do check that email address from a similarly anonymous point on the network in a month or two.
http://tinyurl.com/4ny52
A lawyer is not a friend under any circumstances
Sorry, son. I'll stop at your subject line. You are an imbecile. A lawyer is your friend in a lot of circumstances, especially when your enemy is a lawyer. When you graduate from high school or whatever liberal arts college you are attending and actually do something in life, you will realize that lawyers can play a valuable role in society. Of course, getting you probation on your marijuana possesion charge is one...
Don't expect to get paid by the company whose software you broke. It's hard enought to actually get bugs fixed. If it's really a huge bug, go to zdi or idefense to cash in. Companies don't care about security bugs unless they're disclosed publicly. Otherwise most you'll get is a thank you. It's not worth the time fishing for money, you won't get any!!!
A Greedy Reader has already given two possible answers:
1) Steal directly from them
2) Extort money out of them.
Of these I'd go with #1. With #2 you will absolutely get caught and nailed to the wall, if not in other places.
How about:
3) Profit by telling them so they have better security. Or would doing the right thing make you feel like too much of a tool.
Afterward I'd also suggest:
1) Give up your career in crime if you're too much of a pussy to go through with it. "serendipitous independent research" like hell. Where do you think you are?
You stand to lose much more than you stand to gain. Yes, *if* you can convince the right people at the company that you are a benevolent security researcher, then *potentially* you might make a small consultancy fee, but it's not going to be anything like as large as the hurt that the company can put on you if they decide your research is a threat, which with a lot of large companies is more likely and with practically all large companies is an entirely possible outcome. The risk is great.
My advice is to go to a public library that allows anonymous web access, sign up for a free webmail account, and notify them anonymously, with as much detail as you can put together. (Make sure you send it to the company's security team, not just some random person at the company.) If you don't hear back after a few days, try again, and Cc someone a bit higher up the corporate food chain. After some predetermined amount of time, if you haven't heard back from them and they haven't taken visible steps to fix it, disclose it (again, anonymously) to some well-known independent security researchers who will have a better chance of getting the company's ear.
If too ridiculously much time passes and they take no action and do not acknowledge the issue, post it anonymously to the most relevant usenet group and/or a major security mailing list.
Under no circumstances publically admit it was you. It's not worth it. The legal hassles that a large company can throw your way far outweigh any potential benefit.
Cut that out, or I will ship you to Norilsk in a box.
Give up on the idea of profitting from this directly. You're likely to make more profit by developing a reputation as a serious and reliable researcher who can help companies to shore up their defense, rather than as a gray-hat who trawls for companies with security flaws looking for a payoff.
You say there are several companies involved. Research them a little, and approach the one that looks most likely to offer you gratitude rather than a lawsuit, and ask who you should inform of a vulnerability you've discovered. GIVE THEM THE INFORMATION FIRST. After you've given them the information, you can let slip that you're looking for security consulting work. As long as you aren't holding out the information - as long as you give them the warning and all the data you have on the vulnerability BEFORE you mention the idea of providing services for pay, you're not committing extortion. Also, don't mention that other companies have the vulnerability or suggest that you're going to approach them, that might look like a shakedown, too (they might think you're offering to NOT warn the other companies if they pay you, and that, too, could be seen as extortionate). Repeat this, carefully, with other companies if you're sure they won't sue you for your trouble, never letting any one company know that the others have the vulnerability or that you are/might be doing business with them.
Next, write up the vulnerability as a research paper. Wait until you've heard back from all of the companies you contacted that they've fixed the vulnerability, but do not mention money in connection with publishing the vulnerability; otherwise, give them six months after your first contact before submitting it to a research journal. When you do publish the vulnerability, only mention companies if it is absolutely necessary: for instance, if it's an Apache vulnerability, you need to mention Apache, but don't need to mention a company using Apache; if it's an IIS vulnerability, you need to mention Microsoft, but not a company using IIS.
Understand that you may not get a job offer right away. The key is to treat the whole thing as a scholarly pursuit for which you DON'T expect to get paid. If you smell like some punk trying to pry money away from a bunch of companies, they'll treat you as a criminal; if you behave like a scholarly researcher who's just out to learn about and publish on the subject of security, they'll treat you as a potential resource: and most companies understand that resources cost money.
One more thing: you might want to talk to a lawyer first. That way, it's on the record that you were trying to get the information out to the proper parties, but saw profit as a potential side effect, not your primary motivation. It's also on the record that you found the vulnerability first. A lawyer might help you to determine which companies it is and isn't safe to contact. I know that means spending some money, but it's better than ending up in federal you-know-what prison because some Chief Security Officer decided that you were trying to blackmail him.
"what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"
Well short answer you can't it is basically saying I know something about you that you do not what the public to know, PAY ME and i will 1) not tell anyone. 2) help you fix it.
All a company will see is PAY ME OR I WILL TELL ALL MY BLACK HAT BUDDIES. even if you are not nor would you tell a black hat about it. regardless of you intentions.
you are playing with fire if you are "researching" security vulnerabilities with out permission / a contract. I could easily be view as extortion as per definition. also as was mentioned is some areas simply poking around for security holes is a crime.
either you have a serious desire to help them in that case tell them what you found and not expect much less ask for any money what so ever. Option two you go looking for this kinds shit on a regular basis and are just pulling a stunt here.
I don't think you can accomplish what you want to do. It's difficult enough to notify the company that they have a vulnerability. I've read multiple accounts of people who uncovered security issues and tried to notify the company through customer support, only to get nowhere. Then, out of frustration, they publicized the vulnerability online. That would get the company's attention, but would typically result in a lawsuit or some type of criminal prosecution. As weird as it seems, analyzing computer systems to discover security vulnerabilities is illegal under US law.
Check out Chad's News
UNLESS you were hired by them prior to discovery, just walk away. in most areas, there are contracts and legal papers to be sorted between both parties prior to a penetration test of a network. this serves to release both parties of any liability of any perceived wrongdoing. you did this of your own accord, not at the company's request.
i suggest that next time, you get the company's permission to perform an audit and have signed contracts and negotiate fees PRIOR to poking around their networks.
I did this once to a local ISP some six years ago and tried to report a trivial security hole "anonymously" from a cyber cafe. I don't want to disclose the details about that old security hole here (even though they've fixed their system long ago), but it was trivial in the sense that it was very easy to discover. The ISP called the police who got my identity from the cyber cafe easily. I got arrested.
I was lucky at that time that the cyber laws were not so strict by then and that I did not cause any financial damages. The police simply detained me for like 8 hours and dropped the charges. But still, as a kid (I was ~15 year-old by that time), that was an absolutely horrible experience.
You would not be as lucky as me if you were to try that now. Seriously, I don't want to see an honest computer scientist or a tinkerer get thrown to jail or even Guantanamo Bay (who know if that actually happens) for something as stupid as this. If the security hole is none of your business, just leave it alone!
only the unwise and immature enter into complex business arrangements without seeing a lawyer first.
dumber still is writing your own contracts and not having a lawyer look at them.
this is precisely the situation where you need expert advice, notwithstanding the bad taste that justifiably accompanies the legal "trade" where it at times forgets to be a profession. ignore the lawyer-bashing and make sure you know where you stand.
1) get a lawyer, a good one. will probably cost you a $2k retainer and $250+ and hour
1B) do what your lawyer tells you. this may end the steps.
2) do your homework, on the company staff and with the lawyer
3) identify the person who will be fired if the hole is exposed
4) set up an informational interview with this person
5) get a consulting gig to do an external security sweep. structure it with an strong incentive to be paid more if you "find" holes. If the person is smart, they will KNOW without telling them that you already know there is a big hole.
6) do the sweep/work, find the hole, get your incentive, and explain it all to them.
7) if you're good, you land a sweet consulting gig for regular external sweeps, and they refer you to their buddies at other firms
8) said ass-over-fire IT VP gets to claim huge victory inernally for "finding" a star consultant that fixed a hole
If you are in the US, don't tell them anything! You risk far more than you stand to gain.
If you are in a country with a non-broken legal system, find out what the situation is, i.e. consult a specialist attorney. However expect that you cannot charge anything for an initial warning, that is enoygh tof the company to understand the problem and hire other experts to fix it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Go outside, smell the fresh air, walk around a little, and think about how much of this you'll miss when you're thrown behind bars in PMITA prison, with no hope of release because you somehow violated the Patriot Act.
There, that's better. I guarantee that by the time you go back inside, you'll have no interest in telling anyone of any vulnerabilities. You're (still) in control of your own life. And it should stay that way,
DT
Is this thing on? Hello?
Dude, you're crazy. Walk away. Have you learned nothing from the umpteen stories on /. over the years about the well-intentioned guy who stumbles upon a horrendous security flaw and reports it, only to find himself prosecuted/sued/fired/whatever? Unless you already work for the company in question in a position where it's your job to find security holes in their stuff, you should really just forget the whole thing.
If keeping your mouth shut will keep you up at night worrying about who else might discover the hole and actually exploit it, then find out who you should be reporting this to and send them a detailed, anonymous letter through the postal mail. And when I san anonymous, I mean really anonymous: Handle everything you're going to send them with latex gloves. Don't use your handwriting on anything-- use labels or run the envelope through your printer. Use self-adhesive postage and envelopes, or at least don't lick them to moisten the glue. Don't use your real return address. Mail it from a mailbox on the other side of the city from where you live-- or a different city or state entirely, if possible. Once the door closes on the mailbox, forget about it-- you've done all you can.
This happened to me once when I was in college. I discovered a flaw in the security in one of the university's servers that allowed anyone to log into it remotely and anonymously with administrative privileges. So for my final project in my microcontrollers class I built a small device that plugged into a keyboard ps/2 port while still allowing the normal keyboard to function (like a keyboard logger).
:)
The plan was hook this device up to a computer in the library that was always logged in as some guest account. Then, at 3AM every day, it would send a series of keystrokes that would log into the server, change the permissions of a group of folders that I was sure some people would miss, and then log out. Unfortunately after I demonstrated the project to my professor and submitted a report containing the details of the flaw, it was fixed posthaste. I got a perfect score on the project and had to exchange a few emails with a Sysadmin to clarify some things in my report.
> Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?
A) Do it anonymously.
B) You don't get a fee, sorry.
Yeah, you can try to do it another way, but people don't usually get fees for discovering these things and even revealing the hole can be a good way to get in trouble. Tell the company (anonymously) that they have a month or whatever and then you post it on Full-Disclosure. If you give them anything but a fixed deadline, they'll string you out.
Forgot to mention, documents can be traced back to new printers. To be absolutely safe you might want to buy some old, crappy printer fron somewhere (pay cash if possible), use it just for this letter/documentation/envelope/mailing label, and then destroy it.
As many people have said, you are running a *major* risk if you approach the company directly. On the other hand, if you can come to an agreement with the company that includes their commitment to not press charges, then you have accomplished what you want to do.
.... "
... "
...
So what do you do to get from point A to point B? Use an intermediary.
Lawyers do this kind of thing all the time. "On behalf of my client, who wishes to remain anonymous, I would like to propose
A really *good* lawyer will be able to frame the situation in a way that your proposal is not construed as extortion. "My client is concerned about the well-publicised prosecutions of individuals who have performed disclosures of security-related information, and
Plus, attorney-client communication is privileged.
If you're in business, you should *already* have an attorney. The downside is that you'll probably have to pay for your lawyer's time. If you're feeling entreprenurial, you could see if your lawyer is willing to work on a contingency basis for a portion of the deal with the company
"agreeing on an appropriate fee for my services"
... takes time ... time=money ... you benefited from this ... care to make a donation?'
You have no prior agreement with them, so you can not expect a fee.
I think you should send them an full disclosure e-mail (flaw, found workarounds, time to public disclosure).
Then send them a beg-mail, 'I do independant security research
If the company is nice they will give you some money, if not you are probably never going to get anything anyway.
I wouldn't bother reporting it. Let's fact it -- the company simply does not want to know about it. By reporting the bug, you have now brought attention to the fact that their network/web server is vulnerable. Not only must they then take the site/network offline while they patch things (costing them sales, etc), but then they must assume they have been compromised and 'clean' all potentially infected hosts and files. Companies will see the cost of this cleanup as eating into their profits and would rather blame you than fix the problem.
I think maybe it is time to require an engineering license for software development. This, I would hope, would weed out the stupid programmers and force proper engineering practices such as code reviews, lessons learned, etc. And if companies didn't want to pay for it (the typical excuse) then they just wouldn't get any software.
When two engineers take opposite positions in a disagreement, at least one of them is neccessarily in error. The one(s) found in error are subject to unlimited personal liability that cannot be discharged in bankruptcy, and may also be subject to criminal sanctions as their actions were necessarily willful.
When a lawyer in a dispute is found to be in error, he is automatically considered innocent despite the situation conclusively proving his guilt. Moreover, his arguments in one case do not permanently estop him from making contradictory arguments in other cases. It is a profession of deceit and contradiction. The lawyer finds invigorating failures that in other professions—mathematics, engineering, medicine, and so forth—would leave a career laying in ruins.
Logical fallacy: False dilemma.
You lose. Thank you for playing.
A guy was in the news recently for going approximately this route. After his contact somebody else attacked with his exploits. He got visits from the Feds and at least a lot of trouble for his efforts, I forget if he was prosecuted.
An enlightened company would have a guarantee up front for this kind of stuff published on their website as a proactive measure. All the rest can get the silent treatment - we have to assume an attack by them since they haven't said otherwise and usually do.
Don't pet the Grizzly.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
From their front page:
The Zero Day Initiative (ZDI), founded by TippingPoint, a division of 3Com, represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. The program's goal is threefold:
I am surprised no one has pointed you to this site for some good examples of how to use your information.
Extortion would be offering his services...with the threat that if they refuse, he'll release the vulnerability to the public or even attack them with it himself.
It's not extortion if there isn't a "if you don't do this, then I'll..." threat behind it. Mafia protection rackets aren't extortion because they ask for protection money- they're extortion because if you don't pay them protection money, they break into your store/kill you.
I recall a certain famous individual - the name escapes me at present - stating that all evil needed to triumph was for good men to do nothing. Now, if I read the gist of many comments correctly, 'the system' is ready and eager to punish the good man who does something...
...so what does that say about the system, I wonder...?
For the person asking the question: I'd hang on to all that information, if I were you. Find some way for it to get (discreetly) into the right hands, but keep backups.
Just in case.
- White Knight of the Order of Mihoshi Enthusiasts