Informing a Company of a Security Discovery?

An anonymous reader asks: "I recently found a major security flaw through serendipitous independent research. I do not want to go into details, but it could be used against certain companies and have a large negative financial impact. However, I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem. Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"

Well

[The MAZZTer (911996)]

If you're concerned about legal issues, you could find some way to notify them anonymously and untraceably.

Can't sue what you can't name...

Re:

[Fry-kun (619632)]

oh, great advice! make yourself look like a shady character so that the company won't treat you as one... wait, WHAT?!

Re:

[jimicus (737525)]

Nor can you pay them.

From the question:

what is the best way to go about informing the company and agreeing on an appropriate fee for my services

Just be honest..

[schmiddy (599730)]

Tell them how you discovered the bug (are you a full-time security researcher, just a hobbyist, discovered it by accident?). Tell them the potential severity. Then, as a footnote, mention your skills in patching security holes (assuming you have any) and offer to help them fix this hole, and potential other ones. Don't mention money in your initial email.

If you tell them upfront that you want $$$ to fix the hole, it's going to sound an awful lot like extortion. What you might think of as a friendly e-mail offering help, they could see as "Pay me $$$ and this/further vulnerabilities won't get released to the blackhats". So just treat them nicely, and hope for the same in return.

If they do sit on their asses for more than two weeks or so, it's probably alright to release the vulnerability to the public -- possibly anonymously if you fear retribution. Use tor/remailer if you have to publicly disclose and don't want BigCorp harassing you forever. They may suspect it was you who disclosed the vulnerability, but all they would have is a hunch. Good luck.

Re:

[cgenman (325138)]

Not to be too pedantic, but this sounds like a really bad idea. You're basically at the mercy of companies to decide whether or not they want to prosecute you. It's a crapshoot as to whether you get a sensible, intelligent person on the other end of the line, or you spend tens of thousands of dollars on a lawyer. Even the hint of personal gain is enough for people to shout blackmail, and is definitely enough to bring a team of lawyers down on your family.

It was serendipitous independent research, right?

Don't pet the Grizzly.

[bill_mcgonigle (4333)]

A guy was in the news recently for going approximately this route. After his contact somebody else attacked with his exploits. He got visits from the Feds and at least a lot of trouble for his efforts, I forget if he was prosecuted.

An enlightened company would have a guarantee up front for this kind of stuff published on their website as a proactive measure. All the rest can get the silent treatment - we have to assume an attack by them since they haven't said otherwise and usually do.

Don't pet the Grizz

Extortion

[earnest murderer (888716)]

It will be hard to do that, mostly because that is the f'ing definition of extortion.

My advice. Make note of it, and move any money you need to out of their hands. Tell your friends and family. Nod sagely when the shit hits the fan.

An old guy's suggestion

[Mr. Byaninch (837872)]

Find a way to send an email to an appropriate person. Start with the same first 3 sentences as in your post here. Then add that you'd expect them to take a few days to come to an internal agreement on what they'd be willing to spend to find out what you know. Let them make an offer, and unless it's ridiculously low, take it. It's found money to you. Right?

Be sure you make two things very, very, very clear to them: (1) If they choose not to buy your information, you will just drop the matter and they

Appropriate Fee

[QuantumG (50515)]

Here's an idea: how about entering into an agreement to look for vulnerabilities before you go looking for them? Obviously not a lot of use to you now, so how about you just pretend you don't know about this flaw you claim to know about and go get that agreement. If you can't get the agreement without revealing that you already know about a flaw, then you have no chance of getting paid anyway, so either anonymously inform them of your results or shut up about it already.

Simple

[nosredna (672587)]

Write up a bit of code to exploit the security vulnerability and publish it to the web. That's the most reasonable and expedient way to get the vulnerability fixed and your 15 minutes of fame.

Bonus points if you blog about the FBI searches of your office/residence/colon.

What's next?

[sedmonds (94908)]

Ask Slashdot: I woke up with a dead hooker, how do I beat the rap?

You're looking for money in exchange for providing safety. Seems an awful lot like extortion, even if you call it something else or pretend that you "have no wish to use this for malicious purposes". You may as well just open your negotiations by threatening to start by breaking their thumbs if they don't pay up.

Re:

[jamesh (87723)]

I woke up with a dead hooker, how do I beat the rap?

that's an easy one. "I didn't kill her! She was dead when I bought her."

Next!

give the info for free

[Lehk228 (705449)]

I would suggest offering them the information regardless of whether they want to pay you anything, and offering your services as a consultant if they want your help fixing the issue.

Just happened to find a major security flaw?

[mikesd81 (518581)]

I recently found a major security flaw through serendipitous independent research

You want use to believe this? That's like saying you were walking along and just happened to notice your neighbor's door unlocked? Why would you be trying the door? Why would you be doing anything to find this security flaw? I don't think most people unmaliciously research things and happen to stumble on a security flaw? The tone of your post is you want to make money. You want ideas to extort without calling it extortion?

Re:

[QuantumG (50515)]

Meh, stupid analogies aside, I've found security flaws in software by accident. It's really not that uncommon if you happen to do a lot of reverse engineering for interoperability. Also, it's often the case that software that crashes is software that has a security flaw. Under windows, I get a popup asking me if I want to attach my debugger to software that has crashed. It's the defaut behaviour if you have Visual Studio installed. I often hit "Yes" because I can then press "Stop" in the debugger and t

Re:

[jamesh (87723)]

I don't think most people unmaliciously research things and happen to stumble on a security flaw?

It depends... If it was a companies web site or something that you found a hole in then the above may apply, but if it was some commercial software then I believe (morally, not necessarily legally) that all bets are off. To use your analogy, if I purchased a particular brand of padlock to evaluate with the intention of deploying it across my company wherever a padlock may be required, then I think that it is wit

Re:

[mikesd81 (518581)]

Right, and you bought the padlocks for your company. You weren't just tugging on padlocks randomly.

Re:

[ashridah (72567)]

In all fairness to the guy, he probably just did something similar to this Joel on Software [joelonsoftware.com] article.

Re:

[Lesrahpem (687242)]

I don't know about you, but before employing any software in a production environment I tend test the hell out of it.

I've done this before and explained that's how and why I found the flaw.

anonymous disclosure howto

[ubiquitin (28396)]

So you want to disclose a bug to a company without fear of reprisal? Good! Don't want to take on any liability for private disclosure of a newly discovered vulnerability and disclosure is the right course of action? Here's how:

step 1: get a bootable CD that supports wireless like AnonymOS or Knoppix or Auditor Linux

step 2: find a way to randomize your laptop's wifi MAC address

step 3: go to a random coffee shop or access point for which physical access is hard to track

step 4: generate a gpg key for future use

step 5: log on to the interweb and set yourself up with a gmail or hotmail or yahoo email address with a fictional name

step 6: email your gpg private and public key to yourself for future use

step 7: notify the company using the above fictional name

step 8: sign your disclosure email with gpg, and include the public key so you can prove later it was you

step 9: don't expect to be contacted, but do check that email address from a similarly anonymous point on the network in a month or two.

Re:

[Beryllium Sphere(tm) (193358)]

>step 2: find a way to randomize your laptop's wifi MAC address

That's a built in feature of the anonym.os live CD.

Hotmail account? That will lead straight to the coffee shop without the effort of a court order. Unless there's been a change, Hotmail puts the originating IP into a header.

Re:

[moreati (119629)]

step 6: email your gpg private and public key to yourself for future use

Erm, doesn't this link your identity to the disclosure? Making steps 1-3 pointless.

Re:

[munpfazy (694689)]

step 6: email your gpg private and public key to yourself
for future use

Erm, doesn't this link your identity to the disclosure? Making
steps 1-3 pointless.

I imagine what the parent meant was that you email both keys to the one-time-use email address created for this purpose. That way you can retrieve it later given only the password associ

Or Option 3:

[Zadaz (950521)]

A Greedy Reader has already given two possible answers:
1) Steal directly from them
2) Extort money out of them.

Of these I'd go with #1. With #2 you will absolutely get caught and nailed to the wall, if not in other places.

How about:
3) Profit by telling them so they have better security. Or would doing the right thing make you feel like too much of a tool.

Afterward I'd also suggest:

1) Give up your career in crime if you're too much of a pussy to go through with it. "serendipitous independent research" like

Profit from developing a reputation

[kalidasa (577403)]

Give up on the idea of profitting from this directly. You're likely to make more profit by developing a reputation as a serious and reliable researcher who can help companies to shore up their defense, rather than as a gray-hat who trawls for companies with security flaws looking for a payoff.

You say there are several companies involved. Research them a little, and approach the one that looks most likely to offer you gratitude rather than a lawsuit, and ask who you should inform of a vulnerability you've discovered. GIVE THEM THE INFORMATION FIRST. After you've given them the information, you can let slip that you're looking for security consulting work. As long as you aren't holding out the information - as long as you give them the warning and all the data you have on the vulnerability BEFORE you mention the idea of providing services for pay, you're not committing extortion. Also, don't mention that other companies have the vulnerability or suggest that you're going to approach them, that might look like a shakedown, too (they might think you're offering to NOT warn the other companies if they pay you, and that, too, could be seen as extortionate). Repeat this, carefully, with other companies if you're sure they won't sue you for your trouble, never letting any one company know that the others have the vulnerability or that you are/might be doing business with them.

Next, write up the vulnerability as a research paper. Wait until you've heard back from all of the companies you contacted that they've fixed the vulnerability, but do not mention money in connection with publishing the vulnerability; otherwise, give them six months after your first contact before submitting it to a research journal. When you do publish the vulnerability, only mention companies if it is absolutely necessary: for instance, if it's an Apache vulnerability, you need to mention Apache, but don't need to mention a company using Apache; if it's an IIS vulnerability, you need to mention Microsoft, but not a company using IIS.

Understand that you may not get a job offer right away. The key is to treat the whole thing as a scholarly pursuit for which you DON'T expect to get paid. If you smell like some punk trying to pry money away from a bunch of companies, they'll treat you as a criminal; if you behave like a scholarly researcher who's just out to learn about and publish on the subject of security, they'll treat you as a potential resource: and most companies understand that resources cost money.

One more thing: you might want to talk to a lawyer first. That way, it's on the record that you were trying to get the information out to the proper parties, but saw profit as a potential side effect, not your primary motivation. It's also on the record that you found the vulnerability first. A lawyer might help you to determine which companies it is and isn't safe to contact. I know that means spending some money, but it's better than ending up in federal you-know-what prison because some Chief Security Officer decided that you were trying to blackmail him.

Re:

[slashkitty (21637)]

Mod this up. I think this is about the only acceptable way to profit from this situation.

While I have uncovered a number of security holes, I haven't ever profited directly from them. I added them to my resume and eventually got a job at a bank (where I uncovered more security holes). However, the only way to get a pulic reputation is to publish the hole.

It will be difficult

[Captain Chad (102831)]

I don't think you can accomplish what you want to do. It's difficult enough to notify the company that they have a vulnerability. I've read multiple accounts of people who uncovered security issues and tried to notify the company through customer support, only to get nowhere. Then, out of frustration, they publicized the vulnerability online. That would get the company's attention, but would typically result in a lawsuit or some type of criminal prosecution. As weird as it seems, analyzing computer systems

No

[Klaidas (981300)]

I recently found a major security flaw

No, there is no security hole in rm

DON'T!!!! Delete all your records and forget it.

[francium de neobie (590783)]

I did this once to a local ISP some six years ago and tried to report a trivial security hole "anonymously" from a cyber cafe. I don't want to disclose the details about that old security hole here (even though they've fixed their system long ago), but it was trivial in the sense that it was very easy to discover. The ISP called the police who got my identity from the cyber cafe easily. I got arrested.

I was lucky at that time that the cyber laws were not so strict by then and that I did not cause any financ

Depends on were you are

[gweihir (88907)]

If you are in the US, don't tell them anything! You risk far more than you stand to gain.

If you are in a country with a non-broken legal system, find out what the situation is, i.e. consult a specialist attorney. However expect that you cannot charge anything for an initial warning, that is enoygh tof the company to understand the problem and hire other experts to fix it.

Use a Lawyer as a "cut-out"

[Maple Syrup (27770)]

As many people have said, you are running a *major* risk if you approach the company directly. On the other hand, if you can come to an agreement with the company that includes their commitment to not press charges, then you have accomplished what you want to do.

So what do you do to get from point A to point B? Use an intermediary.

Lawyers do this kind of thing all the time. "On behalf of my client, who wishes to remain anonymous, I would like to propose .... "

A really *good* lawyer will be able to frame

Re:

[sofar (317980)]

oh yes definately agreed, and let me add one more thing:

Hire a laywer, REALLY!!!

Re:

[WebCrapper (667046)]

Every once in awhile, I blog about someone like this asking for advice. This one, I don't know if I even care to. "How can I make money after mucking around in their code/website?" Give me a break. Either you're in the security industry or you're not. If you're not, tell them about the bug and be done with it. You can tell a security company what you did and what it was later if you want.

This falls on par with the "Should we drive around and hack them and then try to sell them our services?!" gawd

Re:

[iamhassi (659463)]

""Should we drive around and hack them and then try to sell them our services?!""

Agreed. I thought the guy was just trying to help them out until I read:
"I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem."

Sounds like extortion [wikipedia.org] to me:
"Extortion is a criminal offense, which occurs when a person either obtains money or property from another through coercion or intimidation or threatens one with physical harm unless they are paid money or

Re:

[darkonc (47285)]

From what he's saying, this guy found the bug through unrelated research and realized that it could affect these big companies. Offering to fix the problem for money is OK, but threatening to release the bug if they don't pay him is what could fetch a criminal charge... This leaves him in the difficult position where releasing details of the bug for free could place him in jeopardy.

I'd second the motion for a lawyer... He's in a legal minefield. doing anything (and possibly even doing nothing) could fe

Re:

[mbstone (457308)]

Why hire a lawyer? All a lawyer is going to do is tell you to keep your mouth shut. This can be valuable advice for those who can't figure this out by themselves. But for you it is a waste of money. You could also write in anonymously; forget about the profit angle. You know, do a good turn daily.

Re:

[QuantumG (50515)]

Shya, as if a lawyer isn't going to figure out a nice way to get money out of people without it looking (legally) like extortion.

Re:

[eric76 (679787)]

All a lawyer is going to do is tell you to keep your mouth shut.

That would probably be the best course of action.

In many states, it is simply illegal to access a computer without authorization.

Even a simple port scan may be illegal if you haven't been authorized by the owner of the computer.

If you must tell them, do it anonymously and go on with your life. Let them have it fixed by their choice of experts who they trust. If they have any brains at all, they aren't going to pay you to fix it, anyway.

Re:

[Salvance (1014001)]

How true - glad to see someone supporting lawyers in cases where they are needed. Divorces, small claims court, car accidents, etc. can all be handled well and good without lawyers, but if you're dealing with Billion $ companies who have teams of lawyers, you don't want to move a muscle before consulting with one yourself.

Re:A lawyer is not a friend under any circumstance

[TheWanderingHermit (513872)]

That's a very simplistic and childish view and it makes me wonder how much you've dealt with lawyers.

I deal with them almost every day and the woman I'm dating is a paralegal. I rarely meet a lawyer (actually never have) that lives down to the stereotypes.

I've found many lawyers very helpful with their advice and time, but that might also be because they're my clients and love the services I provide. The more I've worked with them, the more I can see why they work the way they do and I can also see how th

Re:

[(negative video) (792072)]

The more I've worked with them, the more I can see why they work the way they do and I can also see how the uninformed, without experience or knowledge of how they work could misinterpret what they do if such a person were more interested in denigrating people instead of understanding them.

When two engineers take opposite positions in a disagreement, at least one of them is neccessarily in error. The one(s) found in error are subject to unlimited personal liability that cannot be discharged in bankrup

Re:

[TheWanderingHermit (513872)]

Logical fallacy: False dilemma.

You lose. Thank you for playing.

Re:

[Omnifarious (11933)]

This is actually a really pressing first amendment issue IMHO. This stuff should not be anymore illegal than someone putting a strain gauge on important bridge supports and discovering that the bridge is likely to collapse when 5 18-wheelers go over it at the same time. This kind of targeted disclosure only improves security in the long run.

In fact with the way the laws are written right now, companies act just like politicians would if it were trivial to prove libel.

Re:

[QuantumG (50515)]

As right as you are on the issue of freedom to test for security issues, I really dislike your analogy. Like all analogies, it fails to capture the complexity of the situation. In your attempt to make an easily acceptable argument you have simplified the situation such that it is obsurd to consider any alternative to the conclusion you desire. Looking for security flaws is something we should all be free to do; if we are concerned with the security of a system, we should be free to test that system to de

Re:

[Omnifarious (11933)]

I do think all analogies are flawed, and I struggled to find one I thought would fit at all. In modern America of course, those who would thwart the engineer have a new word to wave around. They can yell 'security' and everybody will duck, hide and abandon their belief in any part of the constitution whatsoever.

I considered the 'blowing up the bridge' case in thinking about this. To me, the act of blowing up the bridge is what's wrong, not the testing. I agree that the engineer's motives should come un

Re:

[blueskies (525815)]

Ha.

Ever drive across the George Washington Bridge from NYC? There are signs everywhere saying "Camera usage Prohibited by law," or something along those lines. You can't even take a picture of the bridge. Try putting strain gauges on it...

Re:

[jimicus (737525)]

They probably never thought of that. By the time the security neanderthal has decided s/h/it doesn't like you using the strain gauge, you'll have long gone.

Re:

[QuantumG (50515)]

Meh, I have no desire to continue arguing over stupid analogies.

Re:

[QuantumG (50515)]

Yep, because companies often pay people they've never met to come to their offices and explain things they don't wanna know and, by knowing, give them an obligation to spend money to fix. Happens all the time.

Re:

[Salvance (1014001)]

If you're not in the security industry, but have an interest and quite a lot of technical expertise, why not approach security firms with some of the details? If this flaw really is earth shattering for the financial institutions, the security firms will see $$$ and they'll have the connections to get inside and start fixing the problem (hopefully with you leading the contract).

You'll want to speak with a lawyer first to make sure the security firm just couldn't say "thank you, we'll go fix it ourselves