Slashdot Mirror
Informing a Company of a Security Discovery?
An anonymous reader asks: "I recently found a major security flaw through serendipitous independent research. I do not want to go into details, but it could be used against certain companies and have a large negative financial impact. However, I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem. Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"
Unless you're already in the business of helping firms secure their systems/networks/etc from attack, most firms will probably look upon your offer with a jaundiced eye. Now if you want to become a fly-by-night security expert, offer your services as a consultant to said firms, and then conveniently discover the security flaws AFTER they've hired you, they probably won't be too upset. But really, unless you have experience as a security expert already, how likely are they to hire you whether you know of a security flaw in their network/systems/etc or not?
oh yes definately agreed, and let me add one more thing:
Hire a laywer, REALLY!!!
If you're concerned about legal issues, you could find some way to notify them anonymously and untraceably.
Can't sue what you can't name...
because in some countries, simply looking for exploits is illegal, so you may have opened yourself up for much larger issues that just finding a way to tell them about. You may just be looking at having to find a lawyer to get you out of what ever local, state, or federal or national law may have been broken by doing it.
So, basically, you're not going to want to send them a letter, crafted on construction paper, with random letters cut from miscellaneous periodical literature, formed in words and sentences stating your conditions for release of information!
In short, I have no good suggestion other than seeking legal counsel, IMMEDIATELY.
Tell them how you discovered the bug (are you a full-time security researcher, just a hobbyist, discovered it by accident?). Tell them the potential severity. Then, as a footnote, mention your skills in patching security holes (assuming you have any) and offer to help them fix this hole, and potential other ones. Don't mention money in your initial email.
If you tell them upfront that you want $$$ to fix the hole, it's going to sound an awful lot like extortion. What you might think of as a friendly e-mail offering help, they could see as "Pay me $$$ and this/further vulnerabilities won't get released to the blackhats". So just treat them nicely, and hope for the same in return.
If they do sit on their asses for more than two weeks or so, it's probably alright to release the vulnerability to the public -- possibly anonymously if you fear retribution. Use tor/remailer if you have to publicly disclose and don't want BigCorp harassing you forever. They may suspect it was you who disclosed the vulnerability, but all they would have is a hunch. Good luck.
http://cltracker.net -- powerful craigslist multi-city search
I don't see how you can expect to get paid for discovering a security flaw.
If you are willing to travel to the head offices of the company in question and explain, in person, what you have discovered, it is reasonable that the company would pay your travel expenses and a fee for your time.
So you discovered a security flaw...why does that entitle you to money? You don't own the software the flaw was found in. The only way you deserve money is if you are extorting it, which is illegal. I suggest you tell them the flaw for free and move on. You aren't going to get rich doing this and you'll feel better if you just give up the info for free. Besides, you are most likely wrong about the flaw anyway...most amateur researchers are.
Have you considered that maybe they don't have source code to the software in question and they're just going to have to go to the vendor to get a fix?
It will be hard to do that, mostly because that is the f'ing definition of extortion.
My advice. Make note of it, and move any money you need to out of their hands. Tell your friends and family. Nod sagely when the shit hits the fan.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
Find a way to send an email to an appropriate person. Start with the same first 3 sentences as in your post here. Then add that you'd expect them to take a few days to come to an internal agreement on what they'd be willing to spend to find out what you know. Let them make an offer, and unless it's ridiculously low, take it. It's found money to you. Right?
Be sure you make two things very, very, very clear to them: (1) If they choose not to buy your information, you will just drop the matter and they can go on being vulnerable; and (2) You will in no way exploit or pass on your knowledge in any way that could result in an exploit of the vulnerability.
If they don't want to pay, then you might see what established security firms would be willing to pay for the knowledge. If none of them seem interested, you should just drop it and go on with whatever you were researching in the first place. You can't save people from something they don't want to be saved from.
You weren't conducting your research for the purpose of making money off what you might have found, right? If it doesn't work out, just move on with your life and your work. Not everything has to end up with money changing hands.
Sig not available, please try again later. If the problem persists, then the submitter is an idiot.
Why hire a lawyer? All a lawyer is going to do is tell you to keep your mouth shut. This can be valuable advice for those who can't figure this out by themselves. But for you it is a waste of money. You could also write in anonymously; forget about the profit angle. You know, do a good turn daily.
Here's an idea: how about entering into an agreement to look for vulnerabilities before you go looking for them? Obviously not a lot of use to you now, so how about you just pretend you don't know about this flaw you claim to know about and go get that agreement. If you can't get the agreement without revealing that you already know about a flaw, then you have no chance of getting paid anyway, so either anonymously inform them of your results or shut up about it already.
How we know is more important than what we know.
Hire a lawyer for the specific purpose of exposing the flaw using the "Anonymous Coward" defense.
If the lawyer fails, sue them, using another lawyer of course.
o the land of the free.....
Write up a bit of code to exploit the security vulnerability and publish it to the web. That's the most reasonable and expedient way to get the vulnerability fixed and your 15 minutes of fame.
Bonus points if you blog about the FBI searches of your office/residence/colon.
Why hire a lawyer? All a lawyer is going to do is tell you to keep your mouth shut.
Spoken like someone who has never been involved in a real business deal. Here's a little nugget of wisdom, son: Lawyers are your friends in business deals.
Shya, as if a lawyer isn't going to figure out a nice way to get money out of people without it looking (legally) like extortion.
How we know is more important than what we know.
Ask Slashdot: I woke up with a dead hooker, how do I beat the rap?
You're looking for money in exchange for providing safety. Seems an awful lot like extortion, even if you call it something else or pretend that you "have no wish to use this for malicious purposes". You may as well just open your negotiations by threatening to start by breaking their thumbs if they don't pay up.
I would suggest offering them the information regardless of whether they want to pay you anything, and offering your services as a consultant if they want your help fixing the issue.
Snowden and Manning are heroes.
Lawyers are your friends in business deals.
If lawyers gave legal advice and assumed liability when the advice they gave was inappropriate or failed to protect the client then you would have a point. They would be supplying a useful service.
As things stand though, lawyers on both sides of an argument benefit from legal action but suffer no fallout from losses suffered through following their legal advice. That lack of necessary negative feedback is what makes them a pure shyster and snake oil profession, and never a friend under any circumstances.
Avoid like the plague. Lawyers have destroyed what used to be a great nation.
You want use to believe this? That's like saying you were walking along and just happened to notice your neighbor's door unlocked? Why would you be trying the door? Why would you be doing anything to find this security flaw? I don't think most people unmaliciously research things and happen to stumble on a security flaw? The tone of your post is you want to make money. You want ideas to extort without calling it extortion?
That which does not kill me only postpones the inevitable.
That's a very simplistic and childish view and it makes me wonder how much you've dealt with lawyers.
I deal with them almost every day and the woman I'm dating is a paralegal. I rarely meet a lawyer (actually never have) that lives down to the stereotypes.
I've found many lawyers very helpful with their advice and time, but that might also be because they're my clients and love the services I provide. The more I've worked with them, the more I can see why they work the way they do and I can also see how the uninformed, without experience or knowledge of how they work could misinterpret what they do if such a person were more interested in denigrating people instead of understanding them.
I think lawyers are great, but then again, that may just be because their fees pay my bills and more.
How true - glad to see someone supporting lawyers in cases where they are needed. Divorces, small claims court, car accidents, etc. can all be handled well and good without lawyers, but if you're dealing with Billion $ companies who have teams of lawyers, you don't want to move a muscle before consulting with one yourself.
Crack - Free with every butt and set of boobs
So you want to disclose a bug to a company without fear of reprisal? Good! Don't want to take on any liability for private disclosure of a newly discovered vulnerability and disclosure is the right course of action? Here's how:
step 1: get a bootable CD that supports wireless like AnonymOS or Knoppix or Auditor Linux
step 2: find a way to randomize your laptop's wifi MAC address
step 3: go to a random coffee shop or access point for which physical access is hard to track
step 4: generate a gpg key for future use
step 5: log on to the interweb and set yourself up with a gmail or hotmail or yahoo email address with a fictional name
step 6: email your gpg private and public key to yourself for future use
step 7: notify the company using the above fictional name
step 8: sign your disclosure email with gpg, and include the public key so you can prove later it was you
step 9: don't expect to be contacted, but do check that email address from a similarly anonymous point on the network in a month or two.
http://tinyurl.com/4ny52
A lawyer is not a friend under any circumstances
Sorry, son. I'll stop at your subject line. You are an imbecile. A lawyer is your friend in a lot of circumstances, especially when your enemy is a lawyer. When you graduate from high school or whatever liberal arts college you are attending and actually do something in life, you will realize that lawyers can play a valuable role in society. Of course, getting you probation on your marijuana possesion charge is one...
That would probably be the best course of action.
In many states, it is simply illegal to access a computer without authorization.
Even a simple port scan may be illegal if you haven't been authorized by the owner of the computer.
If you must tell them, do it anonymously and go on with your life. Let them have it fixed by their choice of experts who they trust. If they have any brains at all, they aren't going to pay you to fix it, anyway.
A Greedy Reader has already given two possible answers:
1) Steal directly from them
2) Extort money out of them.
Of these I'd go with #1. With #2 you will absolutely get caught and nailed to the wall, if not in other places.
How about:
3) Profit by telling them so they have better security. Or would doing the right thing make you feel like too much of a tool.
Afterward I'd also suggest:
1) Give up your career in crime if you're too much of a pussy to go through with it. "serendipitous independent research" like hell. Where do you think you are?
Every once in awhile, I blog about someone like this asking for advice. This one, I don't know if I even care to. "How can I make money after mucking around in their code/website?" Give me a break. Either you're in the security industry or you're not. If you're not, tell them about the bug and be done with it. You can tell a security company what you did and what it was later if you want.
This falls on par with the "Should we drive around and hack them and then try to sell them our services?!" gawd
You stand to lose much more than you stand to gain. Yes, *if* you can convince the right people at the company that you are a benevolent security researcher, then *potentially* you might make a small consultancy fee, but it's not going to be anything like as large as the hurt that the company can put on you if they decide your research is a threat, which with a lot of large companies is more likely and with practically all large companies is an entirely possible outcome. The risk is great.
My advice is to go to a public library that allows anonymous web access, sign up for a free webmail account, and notify them anonymously, with as much detail as you can put together. (Make sure you send it to the company's security team, not just some random person at the company.) If you don't hear back after a few days, try again, and Cc someone a bit higher up the corporate food chain. After some predetermined amount of time, if you haven't heard back from them and they haven't taken visible steps to fix it, disclose it (again, anonymously) to some well-known independent security researchers who will have a better chance of getting the company's ear.
If too ridiculously much time passes and they take no action and do not acknowledge the issue, post it anonymously to the most relevant usenet group and/or a major security mailing list.
Under no circumstances publically admit it was you. It's not worth it. The legal hassles that a large company can throw your way far outweigh any potential benefit.
Cut that out, or I will ship you to Norilsk in a box.
Give up on the idea of profitting from this directly. You're likely to make more profit by developing a reputation as a serious and reliable researcher who can help companies to shore up their defense, rather than as a gray-hat who trawls for companies with security flaws looking for a payoff.
You say there are several companies involved. Research them a little, and approach the one that looks most likely to offer you gratitude rather than a lawsuit, and ask who you should inform of a vulnerability you've discovered. GIVE THEM THE INFORMATION FIRST. After you've given them the information, you can let slip that you're looking for security consulting work. As long as you aren't holding out the information - as long as you give them the warning and all the data you have on the vulnerability BEFORE you mention the idea of providing services for pay, you're not committing extortion. Also, don't mention that other companies have the vulnerability or suggest that you're going to approach them, that might look like a shakedown, too (they might think you're offering to NOT warn the other companies if they pay you, and that, too, could be seen as extortionate). Repeat this, carefully, with other companies if you're sure they won't sue you for your trouble, never letting any one company know that the others have the vulnerability or that you are/might be doing business with them.
Next, write up the vulnerability as a research paper. Wait until you've heard back from all of the companies you contacted that they've fixed the vulnerability, but do not mention money in connection with publishing the vulnerability; otherwise, give them six months after your first contact before submitting it to a research journal. When you do publish the vulnerability, only mention companies if it is absolutely necessary: for instance, if it's an Apache vulnerability, you need to mention Apache, but don't need to mention a company using Apache; if it's an IIS vulnerability, you need to mention Microsoft, but not a company using IIS.
Understand that you may not get a job offer right away. The key is to treat the whole thing as a scholarly pursuit for which you DON'T expect to get paid. If you smell like some punk trying to pry money away from a bunch of companies, they'll treat you as a criminal; if you behave like a scholarly researcher who's just out to learn about and publish on the subject of security, they'll treat you as a potential resource: and most companies understand that resources cost money.
One more thing: you might want to talk to a lawyer first. That way, it's on the record that you were trying to get the information out to the proper parties, but saw profit as a potential side effect, not your primary motivation. It's also on the record that you found the vulnerability first. A lawyer might help you to determine which companies it is and isn't safe to contact. I know that means spending some money, but it's better than ending up in federal you-know-what prison because some Chief Security Officer decided that you were trying to blackmail him.
I don't think you can accomplish what you want to do. It's difficult enough to notify the company that they have a vulnerability. I've read multiple accounts of people who uncovered security issues and tried to notify the company through customer support, only to get nowhere. Then, out of frustration, they publicized the vulnerability online. That would get the company's attention, but would typically result in a lawsuit or some type of criminal prosecution. As weird as it seems, analyzing computer systems to discover security vulnerabilities is illegal under US law.
Check out Chad's News
I did this once to a local ISP some six years ago and tried to report a trivial security hole "anonymously" from a cyber cafe. I don't want to disclose the details about that old security hole here (even though they've fixed their system long ago), but it was trivial in the sense that it was very easy to discover. The ISP called the police who got my identity from the cyber cafe easily. I got arrested.
I was lucky at that time that the cyber laws were not so strict by then and that I did not cause any financial damages. The police simply detained me for like 8 hours and dropped the charges. But still, as a kid (I was ~15 year-old by that time), that was an absolutely horrible experience.
You would not be as lucky as me if you were to try that now. Seriously, I don't want to see an honest computer scientist or a tinkerer get thrown to jail or even Guantanamo Bay (who know if that actually happens) for something as stupid as this. If the security hole is none of your business, just leave it alone!
If you are in the US, don't tell them anything! You risk far more than you stand to gain.
If you are in a country with a non-broken legal system, find out what the situation is, i.e. consult a specialist attorney. However expect that you cannot charge anything for an initial warning, that is enoygh tof the company to understand the problem and hire other experts to fix it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Go outside, smell the fresh air, walk around a little, and think about how much of this you'll miss when you're thrown behind bars in PMITA prison, with no hope of release because you somehow violated the Patriot Act.
There, that's better. I guarantee that by the time you go back inside, you'll have no interest in telling anyone of any vulnerabilities. You're (still) in control of your own life. And it should stay that way,
DT
Is this thing on? Hello?
""Should we drive around and hack them and then try to sell them our services?!""
Agreed. I thought the guy was just trying to help them out until I read:
"I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem."
Sounds like extortion to me:
"Extortion is a criminal offense, which occurs when a person either obtains money or property from another through coercion or intimidation or threatens one with physical harm unless they are paid money or property."
Telling someone "Hey I found this problem you didn't know you had and I'll fix it for money" sounds like extortion to me.
my karma will be here long after I'm gone
Not really, the submitter did not say they would use the exploit if refused. The suggestion is rather that someone likely will use the exploit. It's not really coercian, intimidation, or a direct threat.
As many people have said, you are running a *major* risk if you approach the company directly. On the other hand, if you can come to an agreement with the company that includes their commitment to not press charges, then you have accomplished what you want to do.
.... "
... "
...
So what do you do to get from point A to point B? Use an intermediary.
Lawyers do this kind of thing all the time. "On behalf of my client, who wishes to remain anonymous, I would like to propose
A really *good* lawyer will be able to frame the situation in a way that your proposal is not construed as extortion. "My client is concerned about the well-publicised prosecutions of individuals who have performed disclosures of security-related information, and
Plus, attorney-client communication is privileged.
If you're in business, you should *already* have an attorney. The downside is that you'll probably have to pay for your lawyer's time. If you're feeling entreprenurial, you could see if your lawyer is willing to work on a contingency basis for a portion of the deal with the company
I wouldn't bother reporting it. Let's fact it -- the company simply does not want to know about it. By reporting the bug, you have now brought attention to the fact that their network/web server is vulnerable. Not only must they then take the site/network offline while they patch things (costing them sales, etc), but then they must assume they have been compromised and 'clean' all potentially infected hosts and files. Companies will see the cost of this cleanup as eating into their profits and would rather blame you than fix the problem.
I think maybe it is time to require an engineering license for software development. This, I would hope, would weed out the stupid programmers and force proper engineering practices such as code reviews, lessons learned, etc. And if companies didn't want to pay for it (the typical excuse) then they just wouldn't get any software.
I'd second the motion for a lawyer... He's in a legal minefield. doing anything (and possibly even doing nothing) could fetch him legal trouble. If ever there was a time for <strike>super...</strike> a lawyer, it's here.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
When two engineers take opposite positions in a disagreement, at least one of them is neccessarily in error. The one(s) found in error are subject to unlimited personal liability that cannot be discharged in bankruptcy, and may also be subject to criminal sanctions as their actions were necessarily willful.
When a lawyer in a dispute is found to be in error, he is automatically considered innocent despite the situation conclusively proving his guilt. Moreover, his arguments in one case do not permanently estop him from making contradictory arguments in other cases. It is a profession of deceit and contradiction. The lawyer finds invigorating failures that in other professions—mathematics, engineering, medicine, and so forth—would leave a career laying in ruins.
Logical fallacy: False dilemma.
You lose. Thank you for playing.
A guy was in the news recently for going approximately this route. After his contact somebody else attacked with his exploits. He got visits from the Feds and at least a lot of trouble for his efforts, I forget if he was prosecuted.
An enlightened company would have a guarantee up front for this kind of stuff published on their website as a proactive measure. All the rest can get the silent treatment - we have to assume an attack by them since they haven't said otherwise and usually do.
Don't pet the Grizzly.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
From their front page:
The Zero Day Initiative (ZDI), founded by TippingPoint, a division of 3Com, represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. The program's goal is threefold:
I am surprised no one has pointed you to this site for some good examples of how to use your information.
I recall a certain famous individual - the name escapes me at present - stating that all evil needed to triumph was for good men to do nothing. Now, if I read the gist of many comments correctly, 'the system' is ready and eager to punish the good man who does something...
...so what does that say about the system, I wonder...?
For the person asking the question: I'd hang on to all that information, if I were you. Find some way for it to get (discreetly) into the right hands, but keep backups.
Just in case.
- White Knight of the Order of Mihoshi Enthusiasts