Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How should I disclose this vulnerability?
3 points by inopinatus on Aug 1, 2017 | hide | past | favorite | 1 comment
Background: I am not a vulnerability researcher. I have worked directly in infosec, but not for many years now and my knowledge of best practices is out of date.

I recently discovered a remotely exploitable shell command execution vulnerability in an open-source third-party add-on for a popular application. I don't know the specific popularity of the add-on, but I do know that it is recommended by other users of this app, and I found it by simply being a user thereof. It could be only a tiny handful of people affected; it could be thousands or even more. I simply don't know, and no stats are available.

I have contacted the author of the add-on who seems unwilling to fix the vulnerability. He or she has expressed a preference for simply removing the github repo. I have suggested that at least there should be a PSA in its place. I have also found at least one fork in the wild.

I'd welcome suggestions or references for how to proceed in a safe, legal and ethical manner. I have searched for current responsible disclosure guidelines but they seem focused on the professional vulnerability hunter and/or for major applications.




The maintainer's position seems reasonable to me. Keeping the repository up even with a warning and no code continues a mechanism where strangers can ask that work be done and then find themselves upset/angry/frustrated when the request is refused. Sure closing it down isn't ideal. On the other hand the open source ideal is closer to, someone finds a bug, clones the code, writes a patch, and the first contact is "I found a problem and here is the solution."

Good luck.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: