April 18, 2021

Found security vulnerability, what should I do?

Hello everyone, it’s the first time I discovered a vulnerability (encountered accidentally) so I would like to make sure that I react properly. I’m not an expert but I could easily say that’s a major vulnerability, it’s concern a linux distribution which needs a physical access to the machine. I already contacted the security team (that doesn’t offer a bug bounty) who replied to me “Thank you for passing this on, really appreciate it. I’ll get it in front of the right team for further investigation…”. My question is after they patched the vulnerability, could I post the vulnerability? on reddit? Or do I need to ask them first? Thank you in advance for your advice.

Comments

tweedge

If you have signed an NDA, they own the disclosure timeline.

If you haven’t, you own the disclosure timeline, and you should plan ahead for what that looks like, then contact them and tell them what date you plan to disclose the issue on (generally, 30-90 days, I recommend 60). That of course means you can disclose now if you like, but a reasonable recommendation to avoid scrutiny is to be polite about it and allow them reasonable time to make the fix – how much time you give is up to you. They might ask for more time, and you get to decide whether or not to honor that.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.