Informing a Company of a Security Discovery?

An anonymous reader asks: "I recently found a major security flaw through serendipitous independent research. I do not want to go into details, but it could be used against certain companies and have a large negative financial impact. However, I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem. Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"

Just be honest..

[schmiddy]

Tell them how you discovered the bug (are you a full-time security researcher, just a hobbyist, discovered it by accident?). Tell them the potential severity. Then, as a footnote, mention your skills in patching security holes (assuming you have any) and offer to help them fix this hole, and potential other ones. Don't mention money in your initial email.

If you tell them upfront that you want $$$ to fix the hole, it's going to sound an awful lot like extortion. What you might think of as a friendly e-mail offering help, they could see as "Pay me $$$ and this/further vulnerabilities won't get released to the blackhats". So just treat them nicely, and hope for the same in return.

If they do sit on their asses for more than two weeks or so, it's probably alright to release the vulnerability to the public -- possibly anonymously if you fear retribution. Use tor/remailer if you have to publicly disclose and don't want BigCorp harassing you forever. They may suspect it was you who disclosed the vulnerability, but all they would have is a hunch. Good luck.

Re:good question

[Omnifarious]

This is actually a really pressing first amendment issue IMHO. This stuff should not be anymore illegal than someone putting a strain gauge on important bridge supports and discovering that the bridge is likely to collapse when 5 18-wheelers go over it at the same time. This kind of targeted disclosure only improves security in the long run.

In fact with the way the laws are written right now, companies act just like politicians would if it were trivial to prove libel.

why do you think you deserve money?

So you discovered a security flaw...why does that entitle you to money? You don't own the software the flaw was found in. The only way you deserve money is if you are extorting it, which is illegal. I suggest you tell them the flaw for free and move on. You aren't going to get rich doing this and you'll feel better if you just give up the info for free. Besides, you are most likely wrong about the flaw anyway...most amateur researchers are.

Have you considered that maybe they don't have source code to the software in question and they're just going to have to go to the vendor to get a fix?

An old guy's suggestion

[Mr.+Byaninch]

Find a way to send an email to an appropriate person. Start with the same first 3 sentences as in your post here. Then add that you'd expect them to take a few days to come to an internal agreement on what they'd be willing to spend to find out what you know. Let them make an offer, and unless it's ridiculously low, take it. It's found money to you. Right?

Be sure you make two things very, very, very clear to them: (1) If they choose not to buy your information, you will just drop the matter and they can go on being vulnerable; and (2) You will in no way exploit or pass on your knowledge in any way that could result in an exploit of the vulnerability.

If they don't want to pay, then you might see what established security firms would be willing to pay for the knowledge. If none of them seem interested, you should just drop it and go on with whatever you were researching in the first place. You can't save people from something they don't want to be saved from.

You weren't conducting your research for the purpose of making money off what you might have found, right? If it doesn't work out, just move on with your life and your work. Not everything has to end up with money changing hands.

Just happened to find a major security flaw?

[mikesd81]

I recently found a major security flaw through serendipitous independent research

You want use to believe this? That's like saying you were walking along and just happened to notice your neighbor's door unlocked? Why would you be trying the door? Why would you be doing anything to find this security flaw? I don't think most people unmaliciously research things and happen to stumble on a security flaw? The tone of your post is you want to make money. You want ideas to extort without calling it extortion?

Profit from developing a reputation

[kalidasa]

Give up on the idea of profitting from this directly. You're likely to make more profit by developing a reputation as a serious and reliable researcher who can help companies to shore up their defense, rather than as a gray-hat who trawls for companies with security flaws looking for a payoff.

You say there are several companies involved. Research them a little, and approach the one that looks most likely to offer you gratitude rather than a lawsuit, and ask who you should inform of a vulnerability you've discovered. GIVE THEM THE INFORMATION FIRST. After you've given them the information, you can let slip that you're looking for security consulting work. As long as you aren't holding out the information - as long as you give them the warning and all the data you have on the vulnerability BEFORE you mention the idea of providing services for pay, you're not committing extortion. Also, don't mention that other companies have the vulnerability or suggest that you're going to approach them, that might look like a shakedown, too (they might think you're offering to NOT warn the other companies if they pay you, and that, too, could be seen as extortionate). Repeat this, carefully, with other companies if you're sure they won't sue you for your trouble, never letting any one company know that the others have the vulnerability or that you are/might be doing business with them.

Next, write up the vulnerability as a research paper. Wait until you've heard back from all of the companies you contacted that they've fixed the vulnerability, but do not mention money in connection with publishing the vulnerability; otherwise, give them six months after your first contact before submitting it to a research journal. When you do publish the vulnerability, only mention companies if it is absolutely necessary: for instance, if it's an Apache vulnerability, you need to mention Apache, but don't need to mention a company using Apache; if it's an IIS vulnerability, you need to mention Microsoft, but not a company using IIS.

Understand that you may not get a job offer right away. The key is to treat the whole thing as a scholarly pursuit for which you DON'T expect to get paid. If you smell like some punk trying to pry money away from a bunch of companies, they'll treat you as a criminal; if you behave like a scholarly researcher who's just out to learn about and publish on the subject of security, they'll treat you as a potential resource: and most companies understand that resources cost money.

One more thing: you might want to talk to a lawyer first. That way, it's on the record that you were trying to get the information out to the proper parties, but saw profit as a potential side effect, not your primary motivation. It's also on the record that you found the vulnerability first. A lawyer might help you to determine which companies it is and isn't safe to contact. I know that means spending some money, but it's better than ending up in federal you-know-what prison because some Chief Security Officer decided that you were trying to blackmail him.

Re:Hire a lawyer, you idiot

[iamhassi]

""Should we drive around and hack them and then try to sell them our services?!""

Agreed. I thought the guy was just trying to help them out until I read:
"I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem."

Sounds like extortion to me:
"Extortion is a criminal offense, which occurs when a person either obtains money or property from another through coercion or intimidation or threatens one with physical harm unless they are paid money or property."

Telling someone "Hey I found this problem you didn't know you had and I'll fix it for money" sounds like extortion to me.