Questions tagged [disclosure]
releasing information about security issues to the general public or a selected group.
155
questions
21
votes
4
answers
5k
views
Is a responsible disclosure for hardware-based vulnerabilities even possible?
In the last decade side-channel attacks like fault injection attacks (e.g., voltage glitching attacks) have been used to bypass JTAG locks or read-out memory protections. Such vulnerabilities might ...
- 321
1
vote
0
answers
101
views
How to inform the owner of a site about a vulnerability if there is no feedback form? [closed]
Recently, I noticed several resources that may be in danger, but I did not find a feedback form or email or another way to contact the owner and warn. How can I notify the owners?
DoS seems to me a ...
- 11
0
votes
1
answer
2k
views
I found a way to remove controls on a school Chromebook. How should I tell the school? [duplicate]
Our school uses LanSchool Air and content keeper. I found a way to disable both.
I have already gotten my Chromebook taken away for "abusing Chromebook privileges" I think this is a major ...
- 11
40
votes
6
answers
10k
views
Software vendor refuses to fix security vulnerability - what to do?
I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They ...
- 433
4
votes
1
answer
315
views
A company is still leaking highly sensitive data well over 90 days after I have reported the issue, where to go from here?
Back in February, well over 90 days ago, I reported a vulnerability to a service that is leaking highly sensitive data, such as passport id, full name, date of birth and medical data. After that I ...
- 153
4
votes
2
answers
2k
views
Acceptably resolving a serious vulnerability disclosure
Hypothetical scenario:
An organisation with users who rely on the service's zero knowledge cryptography has a vulnerability disclosure made to it from a research institution.
There are multiple ...
- 61
7
votes
2
answers
1k
views
Should CVE be assigned to an application even if the vulnerability is in a vulnerable 3rd-party library?
I found a vulnerability in a library of vendor A, I reported it, they fixed it and I received a CVE.
We noticed that some application (let's call it vendor B), contained the library of vendor A, we ...
- 173
3
votes
2
answers
227
views
Found a bug in a software product used by the pentesting customer; Who to report it to?
Let's say I'm doing a pentest on BlueCorp and find a bug in the software UnrealSec made and distributed by SecCorp which is used by BlueCorp and found during said pentest. Should I report this bug to ...
- 3,482
40
votes
4
answers
7k
views
How do open-source projects prevent disclosing a bug while fixing it?
I understand that many open-source projects request vulnerabilities not to be disclosed on their public bug tracker but rather by privately contacting the project's security team, to prevent ...
- 3,788
0
votes
1
answer
117
views
Course of actions after finding security flaw [duplicate]
I've found what I believe is a significant security flaw on quite a big platform. It can be exploited to obtain on the orders of millions of email addresses with some additional data. They're big ...
- 3
71
votes
7
answers
18k
views
How do I inform a company I found a leaked database of theirs on the Internet? [duplicate]
Recently I found a leaked database of a company and I do not know how to go about contacting the company. It is so weird because I cannot find any type of Information Security contact email to report ...
- 807
0
votes
2
answers
1k
views
How do I sell critical vulnerability info to private company? [closed]
Here is the story. There is a private company, that has some software product that is used by thousands of its customers. After spending few sleepless nights on reverse engineering that product, I ...
- 117
-1
votes
1
answer
146
views
I found an XSS site while searching [duplicate]
I found a site where XSS is running
I want to report this site because it is dangerous for others
Where should I report it?
- 103
1
vote
0
answers
217
views
Should I report a severe data leak on a site?
I noticed a severe data leak on a Chinese website allowing me to access other users' phone numbers, addresses and names.
Should I report this? I don't want the higher management at the company to ...
- 165
0
votes
1
answer
119
views
Where to disclose heuristic bypass
There's one software, let's call it an anti-malware, that uses a heuristic to detect some types of attack. However there's a very simple to stay under its radar. Where may I report that kind of "...
- 609