The risks of disclosing web vulnerabilities [LWN.net]

The risks of disclosing web vulnerabilities

Posted May 4, 2006 9:27 UTC (Thu) by eskild (subscriber, #1556)
In reply to: The risks of disclosing web vulnerabilities by dvrabel
Parent article: The risks of disclosing web vulnerabilities

Well, yes, but... Reading the article it appears the web site owners didn't acknowledge the problem until they were presented with data that proved their systems' failure.

In other words: They flat-out denied they had a problem -- until it was proven to them with their own data.

It is hard for me to see how an organization acting in denial of their own problems could be convinced of their web site deficiencies in another manner.

So he *had* to retrieve data, he *had* to distribute them. But, of course, he *didn't* have to retain them once they were sent.

I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too.

An anecdote: A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly. That's how these things should work.

(Log in to post comments)

The risks of disclosing web vulnerabilities

Posted May 14, 2006 19:48 UTC (Sun) by kasperd (guest, #11842) [Link]

I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too.

I have experinced that as well with a Danish company. My experience with that particular company was a different reaction on each email I send to them.

ignore it: I wrote an email to them, and it appeared to be ignored. I got no reply, and nothing was done about the problem.
try to talk out of it: I got a thankful answer, in which they stated, that they would do something about the problem. But they didn't.
deny it: After my third email they tried to deny the existence of the problem. To which I responded, that in that case it couldn't do any harm to publish my findings.
threaten: Their next reaction was to threaten me with a lawsuit in case anybody found out about the problem.

At that point I decided the best I could do was to report it the company to authorities for keeping personal data without the amount of security required by the law. At least I felt that was the best I could do to my own position in case of a lawsuit.

The company was given a very long time to respond about the problem. And just before their time ran out, they removed that particular symptom. However there was no proof that the vulnurability was really solved. And in other places there were still symptoms showing vulnurabilities, and other problems showing they just don't know what the hell they are doing.

A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly.

Nice to hear that there still are companies handling such approaches reasonably. Unfortunately they are rare. I have reached the point where I don't know if it is worth the effort to tell sites about their security problems.

I think the next time I come across a security vulnurability in a Danish site I'm just going to report it straight to the authorities and then just publish the fact that this company has been reported.