Vulnerability Reporting in a Web 2.0 World

Dave G. | May 25th, 2007 | Filed Under: Disclosure

I reported a vulnerability on a website developed by a popular Web 2.0 company. As it happens, we are a paying customer, so I really want them to take it seriously.

I will now post an anonymized version of the conversation:

Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.

They reply:

Thanks for the tip, David. It’s been noted.

I reply:

Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?

They reply:

Hi David,

We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.

I reply:

How will I know when this vulnerability is fixed?

They reply:

Actually, they don’t reply at all.

16 Comments so far

  • Daniel

    May 25th, 2007 4:04 am

    Web 2.0 + Security was like DotCom + Logic, they aren’t mean’t to be :)

  • chrisw

    May 25th, 2007 9:49 am

    What we need is disclosure 2.0 guidelines for web 2.0 software. Dave did the right thing by informing the software company. The software company did the wrong thing by treating this as a bug. Perhaps there should be a “hall of web 2.0 shame” for companies that don’t fix vulnerabilities reported to them in a timely way.

    Perhaps we need a place where researchers like Dave can submit a posting saying they have informed Vendor X of Vulnerability Y on Date Z with CVSS score of A. Then Vendor X can get this taken off the list by saying they fixed it. If it wasn’t really fixed Dave can inform the list and it goes back on. Use web 2.0 to police web 2.0.

    -Chris

  • magnus

    May 25th, 2007 10:06 am

    At least they didn’t take you to court… yet. ;-)

  • Jordan Wiens

    May 25th, 2007 10:12 am

    I notified a website back in October that they had multiple serious security flaws. Including some really stupid ones — among them, “authentication” resulted in you getting a cookie set to your username — change the cookie, become another user.

    Their response was along the lines of “oops, yeah, we should totally fix that!”. I followed up two months later, never heard back and forgot about it until now. Checked again, and they’re still vulnerable.

    *sigh*

  • Dan Weber

    May 25th, 2007 10:30 am

    Unlike software companies, I’m really paranoid about reporting vulnerabilities to websites. The best you can reasonably hope for is that they won’t try to sue. :(

    This is maybe about where software companies were 15 or 20 years ago.

  • Thomas Ptacek

    May 25th, 2007 10:34 am

    This company didn’t treat the vuln report as a bug. They treated it as a FEATURE REQUEST.

  • dre

    May 25th, 2007 11:05 am

    secure software contracts annexes based on owasp/mitre/wasc/samate/sans-ssi (probably in that order) certifications are the future of web 2.0 b2b.

    unfortunately, only sans-ssi exists right now, although owasp has this:
    http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
    and mark curphey got like $200k to work on a project called “owasp ceritification” a few weeks ago which he claims will replace pci. pci-dss and texas are going to hell in a handbasket as they well should.

    i talked about this at chisec last night

  • LonerVamp

    May 25th, 2007 11:20 am

    I think some Web 2.0 companies have not transitioned internally from being short-sighted to longer-sighted. In the short term, unless you’re actually selling security, the impetus is to get the product viable and functional. Security just can’t be a cost or detractor from that. Longer-term, devels can start thinking about security and doing things the right way, once a little bit more of their future is “secured.” (Pun intended!)

    Others just like to build things…maintenance (and beefing up security) are sometimes not what they want to do. :\

    Not saying that’s right, but…damnit… :)

  • Ryan Russell

    May 25th, 2007 12:58 pm

    Those of us who tend a little more towards the punitive end of the spectrum would tend to say that at this point, you name the company (if not the vuln.)

    Yay! Free education for everybody…

    (Or perhaps in your subtlety, you’re going to point them at this entry and ask nicely one more time… if so, where’s the hash of your advisory?)

  • Thomas Ptacek

    May 25th, 2007 6:47 pm

    They could get vindictive and kick us off their application! No thanks!

  • Ryan Russell

    May 27th, 2007 4:03 am

    Picking functionality over security there, Tom? ;)

  • stacy

    May 28th, 2007 1:11 pm

    So maybe you should “vote with your wallet” and look for an alternative application.

    If you don’t consider the vulnerability serious enough to not use the application, why should they think it is serious enough to expend resources to fix?

  • Dave G.

    May 31st, 2007 11:04 am

    stacy:

    In this situation, I dont think the cost of one customer is going to motivate anyone. Besides, not using products and services everytime there is a security issue that isn’t resolved to my satisfaction would basically cause me to stop using computers. :)

  • Money and lawyers

    June 1st, 2007 8:00 pm

    Try contacting their funding source or, better yet, their lawyers. These days, those folks understand the words “risk to brand”, etc.

  • Zero Day mobile edition

    June 28th, 2008 9:45 am

    […] vulnerability report as if it was a feature request.  That sounds crazy right?  Have a look at Dave’s original communication chain with the vendor: Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and […]

  • Software bugs » Blog Archive » When a security report is treated as a feature request

    June 28th, 2008 8:19 pm

    […] Goldsmith has some experience trying to report a security vulnerability to a company that does not have a security-specific […]

    • Leave a reply