Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
notification emails
Posted by: yawnmoth
Date: September 06, 2006 10:04PM

I'm currious... when you notify a company that they have a vulnerability - xss or otherwise - in their products, how do you phrase those notification emails? Do you even bother?

Options: ReplyQuote
Re: notification emails
Posted by: id
Date: September 07, 2006 12:57AM

I like to start them with "How much you going to pay me to fix this shit?"

But then again I consult and they asked me to look in the first place ;)

Seriously though I have only sent a couple bugs to websites because mostly I don't care, but a credit card hole, etc I will. The most important thing IMO is sending it to the right person in the first place, check their site for a security contact and direct it to them or if one is not listed just address it to security@company.com asking for the correct person to ask about security issues. Once you get that then just be polite and explain the hole and it's implications just as you would to another professional.

You may consider doing it anonymously if you don't want credit, small sites, etc have in the past blamed the person that found the problem and caused that person trouble.

-id

Options: ReplyQuote
Re: notification emails
Posted by: WhiteAcid
Date: September 07, 2006 02:59AM

I found a flaw on [site] which could potentially lead to ...

The flaw lies in ...

To fix this flaw ...

If you have any questions feel free to reply to this email and I'll do
my best to help out.

Thank you for your time.

Edit: hehe, yeah. That's all I send, I leave it a puzzle for them to solve.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/07/2006 03:00AM by WhiteAcid.

Options: ReplyQuote
Re: notification emails
Posted by: kefka
Date: September 07, 2006 03:24PM

I pretty much follow a variety of formats depending on my mood but if they don't reply, I become resentful (usually). I post them here, on milw0rm and a couple of other places. If someone gets creative and fucks with them, they'll fix it. It's pretty unorthodox but it's also not _my_ problem, it's theirs.

Options: ReplyQuote
Re: notification emails
Posted by: Legionnaire
Date: September 22, 2006 05:52PM

From another point of view, if they have your e-mail claiming the discovery and then they get fucked up they might decide to blame you for the job. I mean if you were working as Sysadm and had to cover your ass in such situation, wouldn't you blame that "evil nerd hacker kid"?



Edited 1 time(s). Last edit at 09/22/2006 05:52PM by Legionnaire.

Options: ReplyQuote
Re: notification emails
Posted by: id
Date: September 22, 2006 05:54PM

GET OFF MY LAWN YOU EVIL NERD HACKER KID!

^that's why I added the little warning at the end.

-id

Options: ReplyQuote
Re: notification emails
Posted by: metal_hurlant
Date: September 29, 2006 02:23AM

This is the latest notification I sent to some secalert@<site goes here>:

> Nothing too special, just some basic XSS on <site goes here>:
>
> <boring list of URLs with barely any text goes here>
>
> I won't make these issues public, so handle it as you wish.
> ( but progress updates would be appreciated. )
>
> Regards,
> <name goes here>

No reply after a week. I need to improve my writing skillz or stop telling people there's no downside in ignoring me. ;(

Options: ReplyQuote
Re: notification emails
Posted by: Kyran
Date: September 29, 2006 02:26AM

Refer them to the RFPolicy and state you will disclose the hole after a period of time.

- Kyran

Options: ReplyQuote
Re: notification emails
Posted by: rsnake
Date: September 29, 2006 10:03AM

I've found that mostly companies don't want to respond because that's like admitting guilt and they aren't prepared for what will happen if you should take that email response and publish it - especially if it will take them a while.

Right now I think there are about 20 companies who are having meetings about the "So it begins" thread that go something like this, "What is this ex ess ess thingy and why haven't you fixed it yet?"

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: notification emails
Posted by: id
Date: September 29, 2006 10:46AM

I think 20 companies is a super low ball guess....

x10

-id

Options: ReplyQuote
Re: notification emails
Posted by: rsnake
Date: September 29, 2006 11:03AM

Probably... you think 200? Perhaps... They need to start sending in money so I can build out my lab again. I really need cash to do some more testing.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: notification emails
Posted by: metal_hurlant
Date: September 30, 2006 11:33PM

Neat.
Less than 5 hours after my earlier posting, the company in question answered:

> Thank you for bringing this issue to our attention. We are investigating and will remedy the problem as soon as possible.

Talk about interesting timing.

Metal (who should check his email more often.)

Options: ReplyQuote
Re: notification emails
Posted by: rsnake
Date: September 30, 2006 11:38PM

So it took a week and 4 hours, huh? I wonder what it will take to get it fixed. Keep us posted.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: notification emails
Posted by: metal_hurlant
Date: October 01, 2006 12:05AM

My current record-holder was a popular blog hoster, clocking at 2 years to fix some XSS issues that had some good worm potential.

In their (weak) defense, the proper fix was a lot more involved than tweaking a regexp somewhere.

This one though should be trivial.. If it's not smashed in a couple of weeks, they're doing something wrong.

Options: ReplyQuote
Re: notification emails
Posted by: rsnake
Date: October 01, 2006 01:11AM

Those rare situations do happen every once in a while. I've seen a few of them myself. But in the vast majority it really is just a few line fix.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.