So I discovered a critical unauthenticated RCE which I disclosed to the vendor. It relates to millions of IoT devices many of which are on the public Internet any very exploitable. RCE gives full control (root shell) of device far more than even the owner of it has.
As far as I know it is not currently being exploited in the wild.
Vendor has verified the issue, and is hopefully working on a fix.
I did ask for a timeline on how long it will take for patches to be available and when they plan to make a public disclosure so people know how serious/urgent this is, and can apply the update but I’ve not been able to get an answer to that.
After a 2/3 weeks, I did advise them I planned to make a public disclosure 60 days from the date I reported it. They said that wasn’t long enough, so I offered to make it 75 days with a limited disclosure initially, followed in 2/3 months by full disclosure.
They said they would decide if, when, how and to what extent any disclosure would be made at their sole discretion. They have offered a bounty, but it’s looking like I’d have to sign a legally binding contract to get it that means I’d not be able to say anything about this vulnerability or any I discover relating to them in the future.
That doesn’t sit well with me. I’m all for responsible disclosure to protect the public, but potentially just keeping quiet about it or downplaying the severity when it actually is disclosed by them doesn’t seem responsible even if it protects their international reputation. They do have contracts with large companies, governments and are also widely used by normal consumers.
Is this standard practice by vendors?
Any thoughts or advice welcome.