Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Informing a Company of a Security Discovery? 102

An anonymous reader asks: "I recently found a major security flaw through serendipitous independent research. I do not want to go into details, but it could be used against certain companies and have a large negative financial impact. However, I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem. Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"
This discussion has been archived. No new comments can be posted.

Informing a Company of a Security Discovery?

Comments Filter:
  • Unless you're already in the business of helping firms secure their systems/networks/etc from attack, most firms will probably look upon your offer with a jaundiced eye. Now if you want to become a fly-by-night security expert, offer your services as a consultant to said firms, and then conveniently discover the security flaws AFTER they've hired you, they probably won't be too upset. But really, unless you have experience as a security expert already, how likely are they to hire you whether you know of a
    • If you're not in the security industry, but have an interest and quite a lot of technical expertise, why not approach security firms with some of the details? If this flaw really is earth shattering for the financial institutions, the security firms will see $$$ and they'll have the connections to get inside and start fixing the problem (hopefully with you leading the contract).

      You'll want to speak with a lawyer first to make sure the security firm just couldn't say "thank you, we'll go fix it ourselves
    • Have you checked out the Zero Day Initiative [zerodayinitiative.com]?
      From their front page:
      The Zero Day Initiative (ZDI), founded by TippingPoint, a division of 3Com, represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. The program's goal is threefold:
      1. reward independent security research
      2. promote and ensure the responsible disclosure of vulnerabilities
      3. provide 3Com's TippingPoint division customers with the world's best security protection
    • by rbannon ( 512814 )
      Yes, write their chief information officer and offer your services as a security expert. Tell him/her that if you don't show them a security hole within one week, they won't have to pay, but set your hourly fee at a high rate. Forty hours at $100/hour, or whatever.
  • If you're concerned about legal issues, you could find some way to notify them anonymously and untraceably.

    Can't sue what you can't name...

    • by Fry-kun ( 619632 )
      oh, great advice! make yourself look like a shady character so that the company won't treat you as one... wait, WHAT?!
    • by jimicus ( 737525 )
      Nor can you pay them.

      From the question:
      what is the best way to go about informing the company and agreeing on an appropriate fee for my services
  • because in some countries, simply looking for exploits is illegal, so you may have opened yourself up for much larger issues that just finding a way to tell them about. You may just be looking at having to find a lawyer to get you out of what ever local, state, or federal or national law may have been broken by doing it.

    So, basically, you're not going to want to send them a letter, crafted on construction paper, with random letters cut from miscellaneous periodical literature, formed in words and sentence
    • Re: (Score:3, Insightful)

      by Omnifarious ( 11933 ) *

      This is actually a really pressing first amendment issue IMHO. This stuff should not be anymore illegal than someone putting a strain gauge on important bridge supports and discovering that the bridge is likely to collapse when 5 18-wheelers go over it at the same time. This kind of targeted disclosure only improves security in the long run.

      In fact with the way the laws are written right now, companies act just like politicians would if it were trivial to prove libel.

      • I couldn't agree more with you. It, unfortunately, is a repercussion of laws that were written in haste and designed to blanket the whole. Leaving little to no room for speacial instance cases such as this. It's unfortunate there isn't a provided avenue for things like this to safely, legally, travel to ensure public safety and protect those who just wish to let people know there's a problem. I think the bridge analogy is perfect. Load tests need to be performed more often. Every where. Holding people's fee
      • by QuantumG ( 50515 )
        As right as you are on the issue of freedom to test for security issues, I really dislike your analogy. Like all analogies, it fails to capture the complexity of the situation. In your attempt to make an easily acceptable argument you have simplified the situation such that it is obsurd to consider any alternative to the conclusion you desire. Looking for security flaws is something we should all be free to do; if we are concerned with the security of a system, we should be free to test that system to de
        • by mysidia ( 191772 )

          How about this: the bridge you would test is on public property. If I happen to own a bridge, that is on my private property, you have no right to enter my property in order to "test" this bridge.

          The servers a hacker would be messing with are private property. In the analogous situation, the would-be hacker has no special right to "test" the servers, if the property owner hasn't approved of it -- it may be a form of trespass.

        • I do think all analogies are flawed, and I struggled to find one I thought would fit at all. In modern America of course, those who would thwart the engineer have a new word to wave around. They can yell 'security' and everybody will duck, hide and abandon their belief in any part of the constitution whatsoever.

          I considered the 'blowing up the bridge' case in thinking about this. To me, the act of blowing up the bridge is what's wrong, not the testing. I agree that the engineer's motives should come un

        • Ha.

          Ever drive across the George Washington Bridge from NYC? There are signs everywhere saying "Camera usage Prohibited by law," or something along those lines. You can't even take a picture of the bridge. Try putting strain gauges on it...
          • by jimicus ( 737525 )
            They probably never thought of that. By the time the security neanderthal has decided s/h/it doesn't like you using the strain gauge, you'll have long gone.
  • Just be honest.. (Score:3, Insightful)

    by schmiddy ( 599730 ) on Saturday November 04, 2006 @02:07AM (#16713327) Homepage Journal
    Tell them how you discovered the bug (are you a full-time security researcher, just a hobbyist, discovered it by accident?). Tell them the potential severity. Then, as a footnote, mention your skills in patching security holes (assuming you have any) and offer to help them fix this hole, and potential other ones. Don't mention money in your initial email.

    If you tell them upfront that you want $$$ to fix the hole, it's going to sound an awful lot like extortion. What you might think of as a friendly e-mail offering help, they could see as "Pay me $$$ and this/further vulnerabilities won't get released to the blackhats". So just treat them nicely, and hope for the same in return.

    If they do sit on their asses for more than two weeks or so, it's probably alright to release the vulnerability to the public -- possibly anonymously if you fear retribution. Use tor/remailer if you have to publicly disclose and don't want BigCorp harassing you forever. They may suspect it was you who disclosed the vulnerability, but all they would have is a hunch. Good luck.
    • by cgenman ( 325138 )
      Not to be too pedantic, but this sounds like a really bad idea. You're basically at the mercy of companies to decide whether or not they want to prosecute you. It's a crapshoot as to whether you get a sensible, intelligent person on the other end of the line, or you spend tens of thousands of dollars on a lawyer. Even the hint of personal gain is enough for people to shout blackmail, and is definitely enough to bring a team of lawyers down on your family.

      It was serendipitous independent research, right?
    • A guy was in the news recently for going approximately this route. After his contact somebody else attacked with his exploits. He got visits from the Feds and at least a lot of trouble for his efforts, I forget if he was prosecuted.

      An enlightened company would have a guarantee up front for this kind of stuff published on their website as a proactive measure. All the rest can get the silent treatment - we have to assume an attack by them since they haven't said otherwise and usually do.

      Don't pet the Grizz
  • I don't see how you can expect to get paid for discovering a security flaw.

    If you are willing to travel to the head offices of the company in question and explain, in person, what you have discovered, it is reasonable that the company would pay your travel expenses and a fee for your time.

    • by QuantumG ( 50515 )
      Yep, because companies often pay people they've never met to come to their offices and explain things they don't wanna know and, by knowing, give them an obligation to spend money to fix. Happens all the time.
  • by Anonymous Coward
    So you discovered a security flaw...why does that entitle you to money? You don't own the software the flaw was found in. The only way you deserve money is if you are extorting it, which is illegal. I suggest you tell them the flaw for free and move on. You aren't going to get rich doing this and you'll feel better if you just give up the info for free. Besides, you are most likely wrong about the flaw anyway...most amateur researchers are.

    Have you considered that maybe they don't have source code to th
  • Extortion (Score:3, Informative)

    by earnest murderer ( 888716 ) on Saturday November 04, 2006 @02:29AM (#16713473)
    It will be hard to do that, mostly because that is the f'ing definition of extortion.

    My advice. Make note of it, and move any money you need to out of their hands. Tell your friends and family. Nod sagely when the shit hits the fan.

  • Find a way to send an email to an appropriate person. Start with the same first 3 sentences as in your post here. Then add that you'd expect them to take a few days to come to an internal agreement on what they'd be willing to spend to find out what you know. Let them make an offer, and unless it's ridiculously low, take it. It's found money to you. Right?

    Be sure you make two things very, very, very clear to them: (1) If they choose not to buy your information, you will just drop the matter and they

    • by JerryP ( 309597 )
      Sorry, but to me that suggestion seems to be pretty dangerous. If the company does not take the offer and the vulnerability is exploited at any time later on, the OP might be in hot water. They always could claim that there was no other way of this being exploited than him releasing or using the information. Of course in an ideal world they also would have to prove this. In the real world, I'm afraid, the ensuing hilarity will serve to make a couple of lawyers richer and him much poorer.
    • by jo7hs2 ( 884069 )
      Stupid, stupid, stupid. Don't offer the information for money or for free. Shut up about it, or talk to a lawyer before you say another word. You could already be in trouble.
  • Here's an idea: how about entering into an agreement to look for vulnerabilities before you go looking for them? Obviously not a lot of use to you now, so how about you just pretend you don't know about this flaw you claim to know about and go get that agreement. If you can't get the agreement without revealing that you already know about a flaw, then you have no chance of getting paid anyway, so either anonymously inform them of your results or shut up about it already.
  • Write up a bit of code to exploit the security vulnerability and publish it to the web. That's the most reasonable and expedient way to get the vulnerability fixed and your 15 minutes of fame.

    Bonus points if you blog about the FBI searches of your office/residence/colon.
  • Ask Slashdot: I woke up with a dead hooker, how do I beat the rap?

    You're looking for money in exchange for providing safety. Seems an awful lot like extortion, even if you call it something else or pretend that you "have no wish to use this for malicious purposes". You may as well just open your negotiations by threatening to start by breaking their thumbs if they don't pay up.
    • Re: (Score:3, Funny)

      by jamesh ( 87723 )
      I woke up with a dead hooker, how do I beat the rap?

      that's an easy one. "I didn't kill her! She was dead when I bought her."

  • I would suggest offering them the information regardless of whether they want to pay you anything, and offering your services as a consultant if they want your help fixing the issue.
  • by mikesd81 ( 518581 ) <mikesd1@noSpaM.verizon.net> on Saturday November 04, 2006 @03:32AM (#16713819) Homepage
    I recently found a major security flaw through serendipitous independent research

    You want use to believe this? That's like saying you were walking along and just happened to notice your neighbor's door unlocked? Why would you be trying the door? Why would you be doing anything to find this security flaw? I don't think most people unmaliciously research things and happen to stumble on a security flaw? The tone of your post is you want to make money. You want ideas to extort without calling it extortion?
    • by QuantumG ( 50515 )
      Meh, stupid analogies aside, I've found security flaws in software by accident. It's really not that uncommon if you happen to do a lot of reverse engineering for interoperability. Also, it's often the case that software that crashes is software that has a security flaw. Under windows, I get a popup asking me if I want to attach my debugger to software that has crashed. It's the defaut behaviour if you have Visual Studio installed. I often hit "Yes" because I can then press "Stop" in the debugger and t
    • by jamesh ( 87723 )

      I don't think most people unmaliciously research things and happen to stumble on a security flaw?

      It depends... If it was a companies web site or something that you found a hole in then the above may apply, but if it was some commercial software then I believe (morally, not necessarily legally) that all bets are off. To use your analogy, if I purchased a particular brand of padlock to evaluate with the intention of deploying it across my company wherever a padlock may be required, then I think that it is wit

      • Right, and you bought the padlocks for your company. You weren't just tugging on padlocks randomly.
    • by ashridah ( 72567 )
      In all fairness to the guy, he probably just did something similar to this Joel on Software [joelonsoftware.com] article.

    • by orkysoft ( 93727 )
      But the X makes it sound cool!
    • I don't know about you, but before employing any software in a production environment I tend test the hell out of it.

      I've done this before and explained that's how and why I found the flaw.
  • by ubiquitin ( 28396 ) * on Saturday November 04, 2006 @03:55AM (#16713959) Homepage Journal
    So you want to disclose a bug to a company without fear of reprisal? Good! Don't want to take on any liability for private disclosure of a newly discovered vulnerability and disclosure is the right course of action? Here's how:

    step 1: get a bootable CD that supports wireless like AnonymOS or Knoppix or Auditor Linux

    step 2: find a way to randomize your laptop's wifi MAC address

    step 3: go to a random coffee shop or access point for which physical access is hard to track

    step 4: generate a gpg key for future use

    step 5: log on to the interweb and set yourself up with a gmail or hotmail or yahoo email address with a fictional name

    step 6: email your gpg private and public key to yourself for future use

    step 7: notify the company using the above fictional name

    step 8: sign your disclosure email with gpg, and include the public key so you can prove later it was you

    step 9: don't expect to be contacted, but do check that email address from a similarly anonymous point on the network in a month or two.
    • >step 2: find a way to randomize your laptop's wifi MAC address

      That's a built in feature of the anonym.os live CD.

      Hotmail account? That will lead straight to the coffee shop without the effort of a court order. Unless there's been a change, Hotmail puts the originating IP into a header.
      • still just the random coffee shop in the next town over, still doesnt prove that its me over one of their other 20 other customers within 24 hours with a laptop, that and a spoofed MAC address on a wifi means there isnt really any hw level trace they can prove
      • uh, ok, so compromise 12 Linux machines, 36 SunOS machines, and a (obscure!) BeOS 4 machine, then run squid and SOCKS5 alternately on each machine. daisy chan your connection through all of them and run Tor on the edge of the chain.
      • by orkysoft ( 93727 )
        Use a different coffee shop next time. Or the same, they'll never expect that (unless they expected you to think they'd never expect that)!
    • by moreati ( 119629 )
      step 6: email your gpg private and public key to yourself for future use

      Erm, doesn't this link your identity to the disclosure? Making steps 1-3 pointless.
      • step 6: email your gpg private and public key to yourself
        for future use

        Erm, doesn't this link your identity to the disclosure? Making
        steps 1-3 pointless.

        I imagine what the parent meant was that you email both keys to the one-time-use email address created for this purpose. That way you can retrieve it later given only the password associ

  • A Greedy Reader has already given two possible answers:
    1) Steal directly from them
    2) Extort money out of them.

    Of these I'd go with #1. With #2 you will absolutely get caught and nailed to the wall, if not in other places.

    How about:
    3) Profit by telling them so they have better security. Or would doing the right thing make you feel like too much of a tool.

    Afterward I'd also suggest:

    1) Give up your career in crime if you're too much of a pussy to go through with it. "serendipitous independent research" like
  • You stand to lose much more than you stand to gain. Yes, *if* you can convince the right people at the company that you are a benevolent security researcher, then *potentially* you might make a small consultancy fee, but it's not going to be anything like as large as the hurt that the company can put on you if they decide your research is a threat, which with a lot of large companies is more likely and with practically all large companies is an entirely possible outcome. The risk is great.

    My advice is to
  • by kalidasa ( 577403 ) on Saturday November 04, 2006 @09:26AM (#16715075) Journal

    Give up on the idea of profitting from this directly. You're likely to make more profit by developing a reputation as a serious and reliable researcher who can help companies to shore up their defense, rather than as a gray-hat who trawls for companies with security flaws looking for a payoff.

    You say there are several companies involved. Research them a little, and approach the one that looks most likely to offer you gratitude rather than a lawsuit, and ask who you should inform of a vulnerability you've discovered. GIVE THEM THE INFORMATION FIRST. After you've given them the information, you can let slip that you're looking for security consulting work. As long as you aren't holding out the information - as long as you give them the warning and all the data you have on the vulnerability BEFORE you mention the idea of providing services for pay, you're not committing extortion. Also, don't mention that other companies have the vulnerability or suggest that you're going to approach them, that might look like a shakedown, too (they might think you're offering to NOT warn the other companies if they pay you, and that, too, could be seen as extortionate). Repeat this, carefully, with other companies if you're sure they won't sue you for your trouble, never letting any one company know that the others have the vulnerability or that you are/might be doing business with them.

    Next, write up the vulnerability as a research paper. Wait until you've heard back from all of the companies you contacted that they've fixed the vulnerability, but do not mention money in connection with publishing the vulnerability; otherwise, give them six months after your first contact before submitting it to a research journal. When you do publish the vulnerability, only mention companies if it is absolutely necessary: for instance, if it's an Apache vulnerability, you need to mention Apache, but don't need to mention a company using Apache; if it's an IIS vulnerability, you need to mention Microsoft, but not a company using IIS.

    Understand that you may not get a job offer right away. The key is to treat the whole thing as a scholarly pursuit for which you DON'T expect to get paid. If you smell like some punk trying to pry money away from a bunch of companies, they'll treat you as a criminal; if you behave like a scholarly researcher who's just out to learn about and publish on the subject of security, they'll treat you as a potential resource: and most companies understand that resources cost money.

    One more thing: you might want to talk to a lawyer first. That way, it's on the record that you were trying to get the information out to the proper parties, but saw profit as a potential side effect, not your primary motivation. It's also on the record that you found the vulnerability first. A lawyer might help you to determine which companies it is and isn't safe to contact. I know that means spending some money, but it's better than ending up in federal you-know-what prison because some Chief Security Officer decided that you were trying to blackmail him.

    • Mod this up. I think this is about the only acceptable way to profit from this situation.

      While I have uncovered a number of security holes, I haven't ever profited directly from them. I added them to my resume and eventually got a job at a bank (where I uncovered more security holes). However, the only way to get a pulic reputation is to publish the hole.

  • I don't think you can accomplish what you want to do. It's difficult enough to notify the company that they have a vulnerability. I've read multiple accounts of people who uncovered security issues and tried to notify the company through customer support, only to get nowhere. Then, out of frustration, they publicized the vulnerability online. That would get the company's attention, but would typically result in a lawsuit or some type of criminal prosecution. As weird as it seems, analyzing computer systems

  • by Klaidas ( 981300 )
    I recently found a major security flaw
    No, there is no security hole in rm
  • I did this once to a local ISP some six years ago and tried to report a trivial security hole "anonymously" from a cyber cafe. I don't want to disclose the details about that old security hole here (even though they've fixed their system long ago), but it was trivial in the sense that it was very easy to discover. The ISP called the police who got my identity from the cyber cafe easily. I got arrested.

    I was lucky at that time that the cyber laws were not so strict by then and that I did not cause any financ
  • If you are in the US, don't tell them anything! You risk far more than you stand to gain.

    If you are in a country with a non-broken legal system, find out what the situation is, i.e. consult a specialist attorney. However expect that you cannot charge anything for an initial warning, that is enoygh tof the company to understand the problem and hire other experts to fix it.

  • You didn't see anything. Put away the tools. If your DSL or cable router gets a new IP address whenever you reconnect, reboot it. All will end in tears if you tell anyone about it. Regardless of what it is, it'll be your fault, you were purposefully hacking to rip off the place, and you're trying to extort the company.

    Go outside, smell the fresh air, walk around a little, and think about how much of this you'll miss when you're thrown behind bars in PMITA prison, with no hope of release because you som

  • As many people have said, you are running a *major* risk if you approach the company directly. On the other hand, if you can come to an agreement with the company that includes their commitment to not press charges, then you have accomplished what you want to do.

    So what do you do to get from point A to point B? Use an intermediary.

    Lawyers do this kind of thing all the time. "On behalf of my client, who wishes to remain anonymous, I would like to propose .... "

    A really *good* lawyer will be able to frame
  • I wouldn't bother reporting it. Let's fact it -- the company simply does not want to know about it. By reporting the bug, you have now brought attention to the fact that their network/web server is vulnerable. Not only must they then take the site/network offline while they patch things (costing them sales, etc), but then they must assume they have been compromised and 'clean' all potentially infected hosts and files. Companies will see the cost of this cleanup as eating into their profits and would rat
  • I am surprised no one has pointed you to this [attrition.org] site for some good examples of how to use your information.
  • I recall a certain famous individual - the name escapes me at present - stating that all evil needed to triumph was for good men to do nothing. Now, if I read the gist of many comments correctly, 'the system' is ready and eager to punish the good man who does something...
    ...so what does that say about the system, I wonder...?

    For the person asking the question: I'd hang on to all that information, if I were you. Find some way for it to get (discreetly) into the right hands, but keep backups.
    Just in cas

"If you lived today as if it were your last, you'd buy up a box of rockets and fire them all off, wouldn't you?" -- Garrison Keillor