DEV Community


Posted on

I reported a security vulnerability. Now what?

I recently discovered a vulnerability for the first time. I found the product's security contact and sent some information. Ideally they will respond acknowledging the issue and provide a timeline for a patch.

What if that doesn't happen? How long is appropriate to wait before following up? When do you promise public disclosure? What if they disagree that it is a vulnerability?

Is there a guide for reporting vulnerabilities somewhere? I thought I'd be able to find one but I wasn't able to. A resource like that would be handy.

Top comments (5)

exadra37 profile image
Paulo Renato

Troy Hunt, a well known security expert, as several articles about responsible disclosure, just google with this term responsible disclosure and see the several articles he have about it.

ryan profile image
Ryan • Edited

I like Troy Hunt and read his site regularly. He's one reason I'm interested in infosec. However the articles on his site seem to be all about "how not to handle disclosure the completely horribly most very wrong way as a company", and not so much about the reporting side.

michaelgv profile image

There’s a limit of responsible disclosure, I usually do 90 days after report. Make sure you do numerous follow ups if they fail to respond and inform them you’ll be disclosing in 90 days if they fail to provide a patch.

If they disagree it’s a vulnerability, then let the internet decide in your public disclosure.

shostarsson profile image
Rémi Lavedrine

Isn't that company on a Bug Bounty?
Is there a security part in its website to communicate with them using their PGP key?

If so, be careful about what you are doing. Some companies are prone to prosecute you based of this kind of behavior (and the Internet is not going to help on that).

ben profile image
Ben Halpern