Informing a Company of a Security Discovery? 102
An anonymous reader asks: "I recently found a major security flaw through serendipitous independent research. I do not want to go into details, but it could be used against certain companies and have a large negative financial impact. However, I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem. Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"
Ugh (Score:1)
Re: (Score:2)
You'll want to speak with a lawyer first to make sure the security firm just couldn't say "thank you, we'll go fix it ourselves
Look into ZDI (Score:1)
From their front page:
The Zero Day Initiative (ZDI), founded by TippingPoint, a division of 3Com, represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. The program's goal is threefold:
Re: (Score:1)
Re: (Score:2)
oh yes definately agreed, and let me add one more thing:
Hire a laywer, REALLY!!!
Re: (Score:2)
This falls on par with the "Should we drive around and hack them and then try to sell them our services?!" gawd
Re: (Score:3, Insightful)
Agreed. I thought the guy was just trying to help them out until I read:
"I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem."
Sounds like extortion [wikipedia.org] to me:
"Extortion is a criminal offense, which occurs when a person either obtains money or property from another through coercion or intimidation or threatens one with physical harm unless they are paid money or
Re: (Score:1)
Re: (Score:2)
I'd second the motion for a lawyer... He's in a legal minefield. doing anything (and possibly even doing nothing) could fe
Re: (Score:2)
Re: (Score:1)
If the lawyer fails, sue them, using another lawyer of course.
Re: (Score:1)
Spoken like someone who has never been involved in a real business deal. Here's a little nugget of wisdom, son: Lawyers are your friends in business deals.
A lawyer is not a friend under any circumstances (Score:1, Interesting)
If lawyers gave legal advice and assumed liability when the advice they gave was inappropriate or failed to protect the client then you would have a point. They would be supplying a useful service.
As things stand though, lawyers on both sides of an argument benefit from legal action but suffer no fallout from losses suffered through following their legal advice. That lack of necessary negative feedback is what makes them a pure shyster and snake oil profession, a
Re:A lawyer is not a friend under any circumstance (Score:2)
I deal with them almost every day and the woman I'm dating is a paralegal. I rarely meet a lawyer (actually never have) that lives down to the stereotypes.
I've found many lawyers very helpful with their advice and time, but that might also be because they're my clients and love the services I provide. The more I've worked with them, the more I can see why they work the way they do and I can also see how th
Re: (Score:2)
When two engineers take opposite positions in a disagreement, at least one of them is neccessarily in error. The one(s) found in error are subject to unlimited personal liability that cannot be discharged in bankrup
Re: (Score:2)
You lose. Thank you for playing.
Re:A lawyer is not a friend under any circumstance (Score:1)
Sorry, son. I'll stop at your subject line. You are an imbecile. A lawyer is your friend in a lot of circumstances, especially when your enemy is a lawyer. When you graduate from high school or whatever liberal arts college you are attending and actually do something in life, you will realize that lawyers can play a valuable role in society. Of course, getting you probation on your marijuana possesion charge is one...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That would probably be the best course of action.
In many states, it is simply illegal to access a computer without authorization.
Even a simple port scan may be illegal if you haven't been authorized by the owner of the computer.
If you must tell them, do it anonymously and go on with your life. Let them have it fixed by their choice of experts who they trust. If they have any brains at all, they aren't going to pay you to fix it, anyway.
Well (Score:2)
If you're concerned about legal issues, you could find some way to notify them anonymously and untraceably.
Can't sue what you can't name...
Re: (Score:2)
Re: (Score:2)
From the question:
good question (Score:1)
So, basically, you're not going to want to send them a letter, crafted on construction paper, with random letters cut from miscellaneous periodical literature, formed in words and sentence
Re: (Score:3, Insightful)
This is actually a really pressing first amendment issue IMHO. This stuff should not be anymore illegal than someone putting a strain gauge on important bridge supports and discovering that the bridge is likely to collapse when 5 18-wheelers go over it at the same time. This kind of targeted disclosure only improves security in the long run.
In fact with the way the laws are written right now, companies act just like politicians would if it were trivial to prove libel.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
How about this: the bridge you would test is on public property. If I happen to own a bridge, that is on my private property, you have no right to enter my property in order to "test" this bridge.
The servers a hacker would be messing with are private property. In the analogous situation, the would-be hacker has no special right to "test" the servers, if the property owner hasn't approved of it -- it may be a form of trespass.
Re: (Score:2)
Re: (Score:2)
I do think all analogies are flawed, and I struggled to find one I thought would fit at all. In modern America of course, those who would thwart the engineer have a new word to wave around. They can yell 'security' and everybody will duck, hide and abandon their belief in any part of the constitution whatsoever.
I considered the 'blowing up the bridge' case in thinking about this. To me, the act of blowing up the bridge is what's wrong, not the testing. I agree that the engineer's motives should come un
Re: (Score:2)
Ever drive across the George Washington Bridge from NYC? There are signs everywhere saying "Camera usage Prohibited by law," or something along those lines. You can't even take a picture of the bridge. Try putting strain gauges on it...
Re: (Score:2)
Just be honest.. (Score:3, Insightful)
If you tell them upfront that you want $$$ to fix the hole, it's going to sound an awful lot like extortion. What you might think of as a friendly e-mail offering help, they could see as "Pay me $$$ and this/further vulnerabilities won't get released to the blackhats". So just treat them nicely, and hope for the same in return.
If they do sit on their asses for more than two weeks or so, it's probably alright to release the vulnerability to the public -- possibly anonymously if you fear retribution. Use tor/remailer if you have to publicly disclose and don't want BigCorp harassing you forever. They may suspect it was you who disclosed the vulnerability, but all they would have is a hunch. Good luck.
Re: (Score:2)
It was serendipitous independent research, right?
Don't pet the Grizzly. (Score:2)
An enlightened company would have a guarantee up front for this kind of stuff published on their website as a proactive measure. All the rest can get the silent treatment - we have to assume an attack by them since they haven't said otherwise and usually do.
Don't pet the Grizz
don't expect to get paid.... (Score:1)
If you are willing to travel to the head offices of the company in question and explain, in person, what you have discovered, it is reasonable that the company would pay your travel expenses and a fee for your time.
Re: (Score:2)
why do you think you deserve money? (Score:1, Insightful)
Have you considered that maybe they don't have source code to th
Extortion (Score:3, Informative)
My advice. Make note of it, and move any money you need to out of their hands. Tell your friends and family. Nod sagely when the shit hits the fan.
An old guy's suggestion (Score:2, Insightful)
Find a way to send an email to an appropriate person. Start with the same first 3 sentences as in your post here. Then add that you'd expect them to take a few days to come to an internal agreement on what they'd be willing to spend to find out what you know. Let them make an offer, and unless it's ridiculously low, take it. It's found money to you. Right?
Be sure you make two things very, very, very clear to them: (1) If they choose not to buy your information, you will just drop the matter and they
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Appropriate Fee (Score:2)
Simple (Score:2)
Bonus points if you blog about the FBI searches of your office/residence/colon.
Re: (Score:1)
What's next? (Score:2)
You're looking for money in exchange for providing safety. Seems an awful lot like extortion, even if you call it something else or pretend that you "have no wish to use this for malicious purposes". You may as well just open your negotiations by threatening to start by breaking their thumbs if they don't pay up.
Re: (Score:3, Funny)
that's an easy one. "I didn't kill her! She was dead when I bought her."
Next!
give the info for free (Score:2)
Just happened to find a major security flaw? (Score:3, Insightful)
You want use to believe this? That's like saying you were walking along and just happened to notice your neighbor's door unlocked? Why would you be trying the door? Why would you be doing anything to find this security flaw? I don't think most people unmaliciously research things and happen to stumble on a security flaw? The tone of your post is you want to make money. You want ideas to extort without calling it extortion?
Re: (Score:2)
Re: (Score:2)
It depends... If it was a companies web site or something that you found a hole in then the above may apply, but if it was some commercial software then I believe (morally, not necessarily legally) that all bets are off. To use your analogy, if I purchased a particular brand of padlock to evaluate with the intention of deploying it across my company wherever a padlock may be required, then I think that it is wit
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I've done this before and explained that's how and why I found the flaw.
anonymous disclosure howto (Score:3, Informative)
step 1: get a bootable CD that supports wireless like AnonymOS or Knoppix or Auditor Linux
step 2: find a way to randomize your laptop's wifi MAC address
step 3: go to a random coffee shop or access point for which physical access is hard to track
step 4: generate a gpg key for future use
step 5: log on to the interweb and set yourself up with a gmail or hotmail or yahoo email address with a fictional name
step 6: email your gpg private and public key to yourself for future use
step 7: notify the company using the above fictional name
step 8: sign your disclosure email with gpg, and include the public key so you can prove later it was you
step 9: don't expect to be contacted, but do check that email address from a similarly anonymous point on the network in a month or two.
Re: (Score:2)
That's a built in feature of the anonym.os live CD.
Hotmail account? That will lead straight to the coffee shop without the effort of a court order. Unless there's been a change, Hotmail puts the originating IP into a header.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Erm, doesn't this link your identity to the disclosure? Making steps 1-3 pointless.
Re: (Score:2)
I imagine what the parent meant was that you email both keys to the one-time-use email address created for this purpose. That way you can retrieve it later given only the password associ
Or Option 3: (Score:2)
1) Steal directly from them
2) Extort money out of them.
Of these I'd go with #1. With #2 you will absolutely get caught and nailed to the wall, if not in other places.
How about:
3) Profit by telling them so they have better security. Or would doing the right thing make you feel like too much of a tool.
Afterward I'd also suggest:
1) Give up your career in crime if you're too much of a pussy to go through with it. "serendipitous independent research" like
Do not try to profit from it. (Score:1)
My advice is to
Profit from developing a reputation (Score:5, Insightful)
Give up on the idea of profitting from this directly. You're likely to make more profit by developing a reputation as a serious and reliable researcher who can help companies to shore up their defense, rather than as a gray-hat who trawls for companies with security flaws looking for a payoff.
You say there are several companies involved. Research them a little, and approach the one that looks most likely to offer you gratitude rather than a lawsuit, and ask who you should inform of a vulnerability you've discovered. GIVE THEM THE INFORMATION FIRST. After you've given them the information, you can let slip that you're looking for security consulting work. As long as you aren't holding out the information - as long as you give them the warning and all the data you have on the vulnerability BEFORE you mention the idea of providing services for pay, you're not committing extortion. Also, don't mention that other companies have the vulnerability or suggest that you're going to approach them, that might look like a shakedown, too (they might think you're offering to NOT warn the other companies if they pay you, and that, too, could be seen as extortionate). Repeat this, carefully, with other companies if you're sure they won't sue you for your trouble, never letting any one company know that the others have the vulnerability or that you are/might be doing business with them.
Next, write up the vulnerability as a research paper. Wait until you've heard back from all of the companies you contacted that they've fixed the vulnerability, but do not mention money in connection with publishing the vulnerability; otherwise, give them six months after your first contact before submitting it to a research journal. When you do publish the vulnerability, only mention companies if it is absolutely necessary: for instance, if it's an Apache vulnerability, you need to mention Apache, but don't need to mention a company using Apache; if it's an IIS vulnerability, you need to mention Microsoft, but not a company using IIS.
Understand that you may not get a job offer right away. The key is to treat the whole thing as a scholarly pursuit for which you DON'T expect to get paid. If you smell like some punk trying to pry money away from a bunch of companies, they'll treat you as a criminal; if you behave like a scholarly researcher who's just out to learn about and publish on the subject of security, they'll treat you as a potential resource: and most companies understand that resources cost money.
One more thing: you might want to talk to a lawyer first. That way, it's on the record that you were trying to get the information out to the proper parties, but saw profit as a potential side effect, not your primary motivation. It's also on the record that you found the vulnerability first. A lawyer might help you to determine which companies it is and isn't safe to contact. I know that means spending some money, but it's better than ending up in federal you-know-what prison because some Chief Security Officer decided that you were trying to blackmail him.
Re: (Score:2)
While I have uncovered a number of security holes, I haven't ever profited directly from them. I added them to my resume and eventually got a job at a bank (where I uncovered more security holes). However, the only way to get a pulic reputation is to publish the hole.
It will be difficult (Score:2)
I don't think you can accomplish what you want to do. It's difficult enough to notify the company that they have a vulnerability. I've read multiple accounts of people who uncovered security issues and tried to notify the company through customer support, only to get nowhere. Then, out of frustration, they publicized the vulnerability online. That would get the company's attention, but would typically result in a lawsuit or some type of criminal prosecution. As weird as it seems, analyzing computer systems
No (Score:2)
DON'T!!!! Delete all your records and forget it. (Score:2)
I was lucky at that time that the cyber laws were not so strict by then and that I did not cause any financ
Depends on were you are (Score:2)
If you are in a country with a non-broken legal system, find out what the situation is, i.e. consult a specialist attorney. However expect that you cannot charge anything for an initial warning, that is enoygh tof the company to understand the problem and hire other experts to fix it.
stop (Score:1)
Go outside, smell the fresh air, walk around a little, and think about how much of this you'll miss when you're thrown behind bars in PMITA prison, with no hope of release because you som
Use a Lawyer as a "cut-out" (Score:2)
So what do you do to get from point A to point B? Use an intermediary.
Lawyers do this kind of thing all the time. "On behalf of my client, who wishes to remain anonymous, I would like to propose
A really *good* lawyer will be able to frame
Don't report it (Score:1)
Some good examples of what to do (Score:1)
Hmmm... (Score:1)
For the person asking the question: I'd hang on to all that information, if I were you. Find some way for it to get (discreetly) into the right hands, but keep backups.
Just in cas